NCC Group plc — Annual report and accounts for the year ended 30 September 2025

Unlocking ourpotential

A global delivery engine asa differentiated and scalable service for clientsaround the world

A single technology stack and the opportunity to leverage our scalable full‑circle cyber services

A network of partners andstrategic alliances tooptimise solutions forclients

Find out more: p2
Find out more: p8
Find out more: p12

NCC Group is a people‑powered, tech‑enabled global Cyber Security and software escrow business. We harness our collective insight, intelligence and innovation to power end‑to‑end cyber services that protect our clients from cyber threat.

In this report

Strategic report
1 Highlights for the year ended 30September 2025
2 At a glance
4 Chair’s statement
6 CEO’s review
8 Our business model
10 Market outlook
12 Our strategy
14 Stakeholder engagement
16 Sustainability
29 Risk management
38 Viability statement
40

Financial review

Governance
58 Chair’s introduction togovernance
61 Governance framework
62 Board of Directors
64 Board composition and division ofresponsibilities
70 Shareholder engagement
71 Audit Committee report
77 Nomination Committee report
79 Cyber Security Committee report
81 Remuneration Committee report
94 Directors’ report
98 Directors’ responsibilities statement

Audited consolidated financialstatements
99 Independent auditors’ report
104 Consolidated income statement
104 Consolidated statement ofcomprehensive income
105 Consolidated balance sheet
106 Consolidated cash flow statement
107 Consolidated statement ofchanges inequity
108 Company balance sheet
109 Company statement ofchanges inequity
110 Notes to the Financial Statements

Additional information
157 Appendix 1
159 Glossary of terms – other terms
161 Other information
162 Financial calendar

View our latest results: nccgroupplc.com

Highlights for the year ended 30 September 2025


Revenue (£m)	305.4
Profit/(loss) before taxation (£m)	20.6
Basic EPS (p)	5.6
Net cash/(debt) excluding lease liabilities 3 (£m)	13.1
Adjusted operating profit 3 (£m)	23.7
Adjusted EPS 3 (p)	4.7

¹ IFRS measures
² Alternative Performance Measures
³ Non-core disposals refer to the disposals of Fox-IT Crypto and Fox DetACT. The disposal of Fox-IT Crypto and Fox DetACT completed on 28 March 2025 and 30 April 2024 respectively.
⁴ Revenue at constant currency, Adjusted EBITDA, Adjusted operating profit, Adjusted basic EPS, net cash/(debt) excluding lease liabilities and cash conversion are Alternative Performance Measures (APMs) and not IFRS measures. See unaudited Appendix 1 and this Financial Review for an explanation of APMs and adjusting items, including a reconciliation to statutory information.

Group revenue on a constant currency basis ⁴ (excluding non-core disposals ³ ) has declined by 2.6% to £293.9m with Escode experiencing growth of 2.2% to £66.5m, offset by a Cyber Security decline of 4.0% to £227.4m.
Revenue performance in H2 2025 on a constant currency basis ¹ (excluding non-core disposals ³ ) for both Escode and Cyber Security improved from the position in H1 2025, with Escode H2 2025 growth of 2.5% vs H2 2024 compared to H1 2025 growth of 1.8% vs H1 2024, and Cyber Security H2 2025 decline of 1.6% vs H2 2024 compared to H1 2025 6.3% decline vs H1 2024. Escode has now delivered 12 consecutive quarters of year-on-year revenue growth and Cyber Security has returned to growth in Q4 FY25 providing momentum into FY26.
Gross margins (excluding non-core disposals ³ ) year on year have improved to 44.5% from 43.9% as the Group maintained operational discipline, with Escode gross margin improving by 2.6% pts at 71.4% and Cyber Security declining slightly by 0.4% pts to 36.6%.
The Group reported Adjusted EBITDA ⁴ (excluding non-core disposals ³ ) of £40.6m, down from £42.1m in the 12 months to 30September 2024, in line with Board’s expectations (down from £51.6m for the 16 month period ending 30 September 2024 (including non-core disposals ³ )).
Profit before taxation grew to £20.6m from a loss of £17.8m in the year ended 30 September 2024, as a result of a reduction in non-core disposals ³ trading (£4.7m), underlying reduction in Adjusted EBITDA trading performance (£1.5m), a one-off profit (£11.4m in H1 2025) from the sale of our Fox Crypto business for a total consideration of £65.6m completed in March 2025, a reduction in other Individually Significant Items (£29.5m), excluding the£11.4m profit on disposal of Fox Crypto, reduction in depreciation and amortisation (£2.2m) and finance costs (£1.3m).
The disposal of Fox Crypto in March 2025 was part of the strategic plan to simplify our business and focus on creating a pure play cyberservice proposition for clients. It has also helped us transform ourBalance Sheet to eliminate Group borrowings, with net cash of £13.1m at 30 September 2025 compared to net debt of £45.3m on 30 September 2024. In conjunction with our successful refinancing in April 2025 to a new four year, £120m multi-currency revolving credit facility (RCF) and an uncommitted £50m accordion option, this supports strategic options for a recently announced share buy-back programme and value enhancing M&A opportunities.
As announced on 28 April 2025, the Group confirmed that it was investigating several options for its Escode business, including a potential sale (‘Escode review’). If a transaction were to be successfully concluded it would enable the Group to consider a significant return of capital to shareholders over and above the recently announced share buy-back programme. The Board will provide updates as and when appropriate.
Further to the announcement on 16 July 2025, the Board confirms the process to review all options for the Group’s Cyber Security business also continues and is independent from both the process and outcome of the Escode review. Our focus remains on operational excellence and continuing our transformation journey as we ensure the operating model is aligned to support our clients and the underlying Cyber Security strategy.
The Board is proposing an unchanged final dividend of 3.15p per ordinary share, marking 20 consecutive years of dividend payments for shareholders.
The Board anticipates that revenue (including recent non-core disposals ³ ) for the year ended 30 September 2026 is expected to grow marginally, with Escode and Cyber Security experiencing low single-digit growth as pipeline continues to build. FY26 Group Adjusted EBITDA ¹ (after the adjustment for non-core disposals ³ ) is expected to be in line with Board expectations – growing faster than revenue and the Board remains confident in delivering the Group’s medium-term financial goals as it continues to improve operational discipline and transform our cyber security engine.


	2023	2024	2025
Revenue (£m)	305.4	429.5	335.1
Profit/(loss) before taxation (£m)	23	25	24
	20.6	(27.5)	(4.3)
Basic EPS (p)	23	25	24
	5.6	(10.4)	(1.5)
Net cash/(debt) excluding lease liabilities (£m)	23	25	24
	(49.6)	13.1	(45.3)
Adjusted operating profit (£m)	23.7	16.6	22.3
Adjusted EPS (p)	4.7	2.8	3.4

Strategic report NCC Group plc — Annual report and accounts for the year ended 30 September 2025 1

At a glance

Escode

We give organisations the legal right and practical means to access, rebuild, and maintain business‑critical software and intellectual property when a supplier is no longer able tosupport it.# Our independent escrow and verification services support organisations in four key ways:

Resilience for organisations when software suppliers falter, code shows weaknesses or disruption strikes
Confidence that continuity and compliance are built into both on-premise and cloud solutions
Secure storage and long-term access to essential software and data
Technical assurance that the materials held in escrow can be successfully rebuilt and function as intended when it matters most

For more information visit our Escode website: escode.com

Cyber Security

Protecting today. Shaping tomorrow. Creating a more secure digital future.

NCC Group is a leading global Cyber Security and resilience company, trusted for over 25 years by leading businesses and governments. With roots in offensive security and defence, and a heritage built on research and threat intelligence, we uncover thousands of risks each year, bringing deep insight into vulnerabilities, attack patterns and adversary behaviours. With significant market presence in the UK, Europe, North America and Asia Pacific we deliver full-spectrum cyber resilience to governments and businesses to protect what matters most – the cars we drive, the energy in our homes, and the phones in our pockets, and critical infrastructures worldwide. We build resilience and deliver impactful, forward-thinking solutions that help create a safer digital future.

For more information visit our Cyber Security website: nccgroup.com

We are NCC Group plc

Leaders in regulatory and complex testing
Managed Security including MXDR
Digital Forensics and Incident Response
Consultancy and Implementation
Escrow agreements for both cloud and on-premise
Testing and verification services

What we do

Founded in 1999, we are a global leader in cyber security and business resilience. Our colleagues are relied upon by the world’s leading companies and governments to help them manage risk, strengthen resilience and build lasting trust. Against a backdrop of continued, fast-paced technological change and increasing interconnectedness, we help companies to manage risk and face into the future with confidence. NCC Group has two main divisions: a people-powered, tech-enabled Cyber Security company (nccgroup.com), and a market-leading IP and software escrow business, Escode (escode.com). Working together with our clients, we create a more secure digital future.

NCC Group plc — Annual report and accounts for the year ended 30 September 2025

Where we operate

We operate as one global business, with in-country delivery tailored to local needs and cultures, as well as a global delivery team to respond quickly to our clients’ challenges.

Our offices

We have a significant market presence in the UK, Europe and North America, and a growing footprint in Asia Pacific, with offices in Australia and Singapore, and the Philippines.

Group revenues

Region	Revenue (2025)	Revenue (2024¹)
UK and Asia Pacific	£163.8m	£209.8m
North America	£89.6m	£136.2m
Europe	£52.0m	£83.5m

Division	Revenue (2025)	Revenue (2024¹)
Cyber Security revenue	£238.9m	£342.1m
• Technical Assurance Services (TAS)	£88.4m	£141.4m
• Consulting and Implementation (C&I)	£48.5m	£55.2m
• Managed Services (MS)	£76.4m	£91.8m
• Digital Forensics and Incident Response (DFIR)	£13.1m	£20.6m
• Other services	£12.5m	£33.1m

Division	Revenue (2025)	Revenue (2024¹)
Escode revenue	£66.5m	£87.4m
• Escrow contracts	£43.0m	£57.2m
• Verification services	£23.5m	£30.2m

¹ 2024 represents the 16 month period ended 30 September 2024 (audited).

Strategic report

NCC Group plc — Annual report and accounts for the year ended 30 September 2025

Chair’s statement

As a result of this decision, we announced in July 2025 that we had started to explore options for our Cyber business should the Escode sale proceed. This was about looking ahead and anticipating what our people, our clients and shareholders will need in years to come, and we believe it is right that we keep all options open.

Deepening relationships and building trust

In May we hosted a unique experience for shareholders, analysts and partners, demonstrating our ongoing commitment to transparency and engagement. Guests were invited to step into our world and experience first-hand decisions that management teams must make in response to cyber threats. It was a powerful reminder of the trust our clients place in us, and of course the expertise and dedication that runs through every part of our business. These moments of connection, where we open our doors and share our story, are vital. They build understanding, foster trust and remind us all of the critical role NCC Group plays in keeping our digital world safer and more secure. I’m proud that we’ve continued to strengthen our relationships with clients, focusing on strategic partnerships that go beyond transactions, which you’ll see from Mike’s review on pages 6 and 7. Our teams work tirelessly to understand the evolving needs of our clients, offering not just technical solutions but genuine partnership and support. In a world where digital risks are ever-present, our role as a trusted advisor has never been more important.

Our people: the heart of NCC Group

If there is one thing that stands out year after year, it is the extraordinary commitment and talent of our people. The pace of change has been relentless, and yet our colleagues have responded with professionalism and creativity, focused on our client’s needs. Whether adapting to new ways of working, supporting clients through complex challenges, or driving innovation from within, our teams have shown what is possible when we pull together. Our investment in people is matched by our commitment to sustainability and responsible business. As we nurture talent and foster a positive culture, we also strive to make a meaningful impact on the environment and society. Our Manila operations have gone from strength to strength, bringing new perspectives and capabilities to our global front and back-office teams. I am proud of the progress we have made, but even more excited about what lies ahead.

Navigating change with purpose

We continue to make bold decisions as we navigate the changing landscape all businesses are operating in. I’m proud of the way the management team and the wider Group embrace these as opportunities to continue to grow and strengthen the overall business. In March 2025, we completed the sale of the Fox-IT Crypto business for a gross consideration of £65.6m, a milestone that not only reflects our commitment to simplifying the Group’s proposition, deriving great value to our shareholders and reducing net debt, but also our willingness to evolve in a rapidly shifting digital landscape. And this commitment continued as we announced in April 2025 that we were exploring a range of strategic options for our Escode business, including a potential sale (Escode review). The decision is one that was not taken lightly by the Board. The Board will provide updates as and when it is practicable and appropriate to do so. If a sale of Escode were to be successfully concluded, the Group would become a focused, people-powered, tech-enabled global Cyber Security business. It would also enable the Board to consider a significant return of capital to shareholders over and above the recently announced initial share buy-back programme.

Chris Stone
Non-Executive Chair

Unlocking our potential

When I reflect on the past year at NCC Group, I am reminded that progress is rarely linear. It is shaped by the challenges we face, the decisions we make, and – most importantly – the people who come together to move us forward. This year has been a testament to the resilience, adaptability and shared purpose that defines our Group. And I want to begin by expressing my heartfelt thanks to every colleague, client and shareholder, as well as our partners, who continue to be a part of our journey.

NCC Group plc — Annual report and accounts for the year ended 30 September 2025

Commitment to sustainability and responsible business

This year, we took significant steps forward on our climate action agenda, responding to changing requirements and also client requests. We published our Carbon Reduction Plan, developed in partnership with Positive Planet, which sets out our path to net zero and commits us to ambitious, science-based targets. We are on track to achieve SBTi verification by March 2026 and will update our plan to reflect our progress. Our partnership with Positive Planet led to the creation of a bespoke Carbon Literacy Training programme, and I am delighted that my fellow Board member Lynn Fordham was among the first to achieve certification. We are now working towards verification of our science-based targets, a further demonstration of our commitment to collaborating with other businesses to reduce our impact on the environment and will update the Carbon Reduction Plan in early 2026. This holistic approach to sustainability is reflected in our governance practices. The Board remains focused on upholding the highest standards and ensuring that our values are embedded in every decision we make, and you can read more about our progress on this from page 58.

Governance and Board Leadership

The Board has played an active and engaged role, providing challenge, support and guidance as we continue to navigate this critical time for the Group. We are committed to upholding the highest standards of governance, ensuring that our decisions are grounded in integrity, transparency and a long-term perspective. Our focus has been on supporting the management team, overseeing strategic reviews and ensuring that the interests of all stakeholders are represented. We have also continued to review and strengthen our governance practices, learning from best practice and adapting to the evolving needs of our business.# Strategic report

NCC Group plc — Annual report and accounts for the year ended 30 September 2025

CEO’s review

Strategic progress positions the Group for return to profitable growth

As we reflect on FY25, I want to begin by recognising the continued commitment and expertise of our colleagues across the globe. The work they do for clients is extraordinary and they have continued to demonstrate their resilience and adaptability navigating change and at times an uncertain economic environment. Our purpose – to create a safer digital future – remains at the heart of everything we do, and our progress this year is a testament to the strength of our people and the trust our clients place in us.

Market environment and client needs

As a B2B service provider, demand for many of our services reflects the macro-economic cycle and the confidence of our clients to invest. During the year this cycle and the geopolitical environment remained complex, particularly in the first half. We saw this reflected in cautious client behaviour, which naturally lengthen sales cycles. Despite these headwinds, demand for cyber resilience and regulatory assurance continues to grow, particularly in highly regulated sectors such as financial services, healthcare and businesses running critical infrastructure. Our clients are increasingly seeking expert-led, end-to-end solutions that address the full spectrum of cyber risk – from Identity and Access Management to Operational Technology security and Managed Detection and Response. Our differentiated capabilities, global delivery and strategic alliances with leading technology partners position us strongly to meet these needs.

Financial performance

As expected, we saw Group revenue for FY25 decline by 2.6% on a constant currency basis (excluding non-core disposals), with Escode delivering growth on a constant currency basis of 2.2% and Cyber Security declining on a constant currency basis by 4.0% when compared to the previous 12 months. Importantly, as I reflect on all of this, half-to-half performance was markedly stronger with revenue performance improving in the second half, a reflection of the positive impact of our strategic focus and operational discipline together with the strong order book we indicated in our December 2024 results. Gross margins (excluding non-core disposals) overall strengthened to 44.5% with Escode margin reaching 71.4% and Cyber Security broadly flat at 36.6%. Adjusted EBITDA (excluding non-core disposals) was in line with Board expectations and amounted to £40.6m when compared to the previous 12 months. Our Balance Sheet remains robust, with net cash of approximately £13m at year end, a marked improvement from the net debt of £79.6m as at 31 May 2023 and now providing a strong foundation for future investment and capital returns.

Sales and commercial execution

We continued to strengthen our business in FY25 with management action focused on strategic change to build the necessary technical capability in cyber and to strengthen our commercial organisation in both the Escode and Cyber Security businesses.

Strategic progress and transformation

FY25 has been a year of disciplined execution against the strategy we originally established back in 2023 to transform and reshape the Group. We have made significant progress to simply the Group and built our two distinct businesses – Cyber Security, with Managed Services at the centre, and Escode, our software escrow service. We have improved profitability, materially reduced and eliminated net debt, and repositioned the Group’s portfolio around core, scalable activities. More timely and granular financial and operational information has strengthened decision making, however there is more work to do. A major event this year was the successful sale of our Fox-IT Crypto business in March 2025 that strengthened our Balance Sheet, providing us with the financial flexibility to invest in growth, while removing the management distraction of a non-core business. In April 2025, the Group confirmed that it was investigating several options for its Escode business, including a potential sale. The Board will provide updates as and when it is practicable and appropriate to do so. If a sale of Escode were to be successfully concluded, the Group would become a focused, people-powered, tech-enabled global Cyber Security business. It would also enable the Board to consider a significant return of capital to shareholders over and above the recently announced initial share buy-back programme.

Our investments in new capabilities such as Operational Technology and Digital Identity have allowed us to win further strategic projects during the year. Our global operating model, including our expanding office in Manila with exceptional cyber and operational talent, has enabled us to scale, win more opportunities and serve clients more efficiently. We will continue to invest in our people, technology and strategic partnerships – underpinned by our leading intelligence, innovation and insight, we remain at the forefront of an evolving cyber threat landscape.

In Escode, we:
• Reorganised our sales structure by industry verticals to deliver deeper sector expertise and create greater value for customers in finance, critical infrastructure, and commercial markets
• Established a dedicated new customer acquisition team focused on ideal customer profiles within our priority growth sectors in the UK and US
• Expanded our software verification offering to include fully independent builds of cloud-hosted solutions, ensuring greater reliability and trust
• Broadened our regional presence with an extended market focus into the Middle East

In Cyber Security, we:
• Invested in strategic sales capability
• Enhanced client propositions with embedded technology
• Put foundations in place for global account management to deepen relationships and unlock revenue opportunities
• Have improved Management Information with our global sales operation
• Have fully implemented global scheduling, timesheets and

Mike Maddison
Chief Executive Officer

Identity at the core: Strengthening cyber resilience with end‑to‑end access governance and expertise

Poorly maintained access control processes are among the leading causes of cyber breaches and regulatory non-compliance. Up to 80% of security incidents involve compromised credentials and insufficient safeguards, giving attackers the keys to infiltrate networks, steal sensitive data, and disrupt operations. The cost? Millions in lost revenue, reputational damage, regulatory penalties, and recovery downtime. AI and autonomous agents amplify identity risks by increasing access across systems, making an already complex task even more challenging. We help our clients manage every aspect of Identity and Access Management (IDAM), ensuring human and non-human accounts are governed, monitored, secured, and maintained across the entire lifecycle. With NCC Group’s expertise and strategic partnerships, you gain resilience, confidence, and continuity so you can focus on what matters most: running your business securely.

VIEWPOINT

Closing thoughts

In closing, I want to thank everyone who has been part of our journey this year. To our colleagues: your dedication, creativity and resilience inspire me every day. To our clients: thank you for your trust and partnership. And to our shareholders: thank you for your continued support and belief in our vision. We do not take any of these relationships for granted. As we move forward, we will continue to listen, learn and adapt – always with the goal of creating lasting value for all our stakeholders.

Chris Stone
Non-Executive Chair
11 December 2025

Share buy‑back programme

Reflecting the Board’s continued confidence in the future prospects of the Group and the strength of the Balance Sheet, regardless of the outcome of the Escode review, we announced in October 2025 our intention to commence an initial share buy-back programme. This will be carried out utilising our current shareholder authority and in accordance with our capital allocation policy, and relevant legal and regulatory obligations. It was also noted that the initial share buy-back programme would not launch before 11 December 2025.

Dividends

During the year, total dividends of £19.0m were paid (2024: £14.5m), an increase due to the change in our year end and the additional dividend we gave for the four month period to 30 September 2024. The Board is proposing an unchanged final dividend of 3.15p per ordinary share for the year ended 30 September 2025, as it remains mindful of the continued need to invest in the Group’s strategy, marking 20 consecutive years of dividend payments for shareholders. The final dividend will be paid on 10 April 2026, subject to approval at the AGM on 3 March 2026, to shareholders on the register at the close of business on 13 March 2026. The ex-dividend date is 12 March 2026. Our existing dividend policy will remain unchanged by any share buy-back programme noted above.

Looking to the future

With strong foundations in place – strategic clarity, stakeholder trust, empowered people and robust governance – we are well positioned to embrace the future with confidence. We are continuing to build strategic client relationships, scan the market for smart acquisition opportunities and focus on operational efficiencies that will make us stronger and more agile. Our partnerships are deepening, our Manila office is flourishing and our global teams are united by a shared sense of purpose. I am confident that we have the right people, the right strategy and the right values to succeed. Together, we are building a stronger, more resilient NCC Group – one that is ready to seize the opportunities of tomorrow.

This includes ongoing engagement with our shareholders, listening to their views and incorporating their feedback into our decision making.# Strategic report

NCC Group plc — Annual report and accounts for the year ended 30 September 2025

Our business model

Inputs

Transforming for global growth

For decades, we’ve developed thousands of cyber experts and explored emerging technologies. Now, as a global, client‑focused business, we continue to evolve, delivering groundbreaking projects for leading companies and governments. Our collective expertise sits at the forefront of cyber resilience, shaping a more secure digital future. Read more on market outlook on pages 10 and 11.

Sustainable growth strategy

In a fast-moving and complex environment, our strategy puts clients’ needs first, with a roadmap of investments designed to develop future capabilities and a global delivery model to provide clients with the best solution.

People‑powered, tech‑enabled

We are a diverse global community of talented and creative individuals, working together and united by the same goal – to create a more secure digital future.

Culture of innovation

With our roots stretching back to the 1990s we have a track record of being at the cutting edge of innovation. NCC Group was created in 1999 when the National Computing Centre sold its commercial divisions to its existing management; from there we continued to grow through acquisitions. And while history is important, so is the future, with innovation, insights and intelligence the drivers of differentiation and woven into the DNA of who we are.

Stronger partner relationships

We are active members of the global cyber community, working in collaboration and in partnership with key industry players. Many successful global partnerships have delivered integrated, seamless solutions to clients.

Market‑leading reputation

We’re recognised by leading analysts for excelling in our understanding of CISO needs, building strong partnerships with clients and being called to solve complex problems.

For more information visit our Cyber Security website: nccgroup.com

For more information visit our Escode website: escode.com

Read more on our strategy on pages 12 and 13.

Cyber Security

As a leading global Cyber Security services company we are trusted to protect what matters most – the cars we drive, the energy in our homes, and the phones in our pockets, and critical infrastructures worldwide. With roots in deep offensive security and defence and a heritage built on research and threat intelligence, we deliver full-spectrum cyber resilience to governments and businesses. From tracking threat actors and uncovering vulnerabilities to responding to ransomware, we don’t just defend, we are actively building a more secure digital future. Through our end-to-end cyber capabilities, we empower organisations to counter threats, manage disruption and navigate regulations with confidence.

Escode

We provide specialist escrow and verification solutions for business‑critical IP, technology and software applications. Our services help companies and government organisations manage supplier risk, sustain business continuity and give confidence that essential third party software can be accessed and redeployed when required. Our cloud services bring clarity to application management, making the transition to the cloud straightforward and controlled.

Two distinct businesses

NCC Group plc — Annual report and accounts for the year ended 30 September 2025

Value creation

Colleagues

Our people are leading the industry with innovative solutions protecting clients and society from growing cyber threats. As a people-powered, tech‑enabled organisation, our talent strategy builds future-ready skills, strengthens leadership and fosters an inclusive culture of high performance, aligned with our business goals.

pricing tools • Have fully separated Fox DetACT and Fox Crypto These actions are already delivering results, an improved sales pipeline visibility, deeper client engagement and a positive shift in revenue mix towards higher value, recurring contracts. We remain focused on further evolving our sales model to ensure stronger linkage between sales execution and service delivery, and to drive deeper penetration in our priority sectors globally: financial services, insurance, healthcare, industrials, and the public sector.

Operational highlights

Transformation: Continued progress in repositioning the Cyber Security business towards higher value, recurring revenue streams, supported by a single technology stack and scalable global delivery
Strategic partnerships: Recognition from key partners, including Splunk and Microsoft, underscores our reputation as a trusted advisor and innovator
Talent: Our ability to attract and develop top cyber talent remains a competitive advantage, supported by our academy and training programmes
Escode: The business continues to deliver consistent growth and profitability, with discussions regarding its future strategic direction ongoing
Public Research: Our leading technical expertise including Cryptography, Hardware and AI/ML Security was engaged by leading companies including Meta, Whatsapp and Google, to review and publish public reports into their emerging technology

Market trends and regulatory landscape

The environment in which NCC Group operates is shaped by a complex interplay of macro-economic, geopolitical and technological forces. Regulatory momentum has intensified across all our core territories and key customer verticals. The EU Cyber Resilience Act, which came into force in December 2024 and the UK’s AI Cyber Security Code of Practice will embed secure-by-design requirements up through the software supply chain, while NIS2, DORA and sector-specific requirements in energy and transport expand the range of organisations that must evidence robust cyber controls and incident-reporting disciplines. These developments are complemented by similar requirements in the US, Australia and APAC, signalling a global consensus for higher standards. Demand for strategic advisory and independent validation against these emerging frameworks is fuelling growth in our consulting and assurance work across OT environments and heavily regulated industries. NCC Group’s recognised contribution to the UK government’s AI and CRA initiatives underpins our reputation as a leading provider of regulatory advisory and assurance services.

The worldwide shortage in qualified cyber security professionals is both widening and coming more acute. This structural gap is most evident in highly specialised skills, including advanced testing, Operational Technology, and Identity and Access Management disciplines. This is expected to drive outsourcing to third party Cyber Security services. Clients need around-the-clock expert coverage without inflating their cost base as a cost of employment and our global delivery hubs meet this need. Additionally, the strong reputation that we have among cyber professionals positions us to attract the best talent using our academy/ training ability to further expand and strengthen this talent base.

The combination of hybrid working and using personal devices at work has shifted the security perimeter from the edge of the Enterprise network to the individual user and their devices. Identity and Access Management and Zero-Trust architectures are consequently commanding a growing share of security budgets. This is further driven by requirements to demonstrate granular access controls under NIS2, the EU’s updated cyber security directive and other critical infrastructure regulations. Our dedicated Digital Identity service is supporting clients through this transition, covering strategy, implementation and day-to-day identity operations.

Lastly, the attack surface is expanding and becoming more complex, with cloud migrations accelerating, SaaS solution proliferation and AI adoption continuing, as well as early discussions ongoing regarding the potential implications of quantum computing. Each new platform expands the potential for malicious attacks and reinforces the need for security to be embedded earlier into development pipelines. Demand is therefore rising for secure-by-design assessments, supply chain software assurance and Managed Extended Detection and Response (MXDR) coverage that spans traditional IT, cloud and OT environments. The breadth of clients we serve across industries, geographies and IT and OT environments has allowed us to build unique IP to help clients secure this expanding attack surface.

Outlook

Looking ahead, we remain confident in our strategy and the medium-term growth prospects for both businesses. While we expect the current challenging economic conditions to endure in the near term, our pipeline is building, and we anticipate a return to Cyber Security revenue growth in FY26 as our continued transformation delivers further benefits to both our competitive positioning and stakeholders.

On 28 April 2025, the Board confirmed that it was investigating a number of options for its Escode business including a potential sale (Escode review). We currently remain in that process and we will provide a further update in due course.

Further to a subsequent announcement on 16 July 2025, the Board confirms that the Group remains in the early stages of a review of all strategic options for its Cyber business should the Escode business be sold, this includes a range of potential outcomes including potential offers for the entire issued and to be issued share capital of the Company, and that no decision has been made regarding which options will be pursued.

Our focus remains on operational excellence, innovation and supporting existing and new clients as they navigate an increasingly complex digital threat landscape.

In closing, I would like to thank our colleagues, clients and partners for their continued trust and support. Together, we are building a stronger, more resilient NCC Group, well positioned for sustainable growth and long-term success.

Mike Maddison
Chief Executive Officer
11 December 2025# NCC Group plc — Annual report and accounts for the year ended 30 September 2025

We’re committed to helping every colleague thrive – through inclusive practices, targeted development and a focus on colleague experience – driving commercial success through empowered, engaged teams. Read more on our sustainability strategy: nccgroupplc.com/sustainability

Clients

Our cyber security and software escrow solutions enable clients to confidently innovate and embrace new technologies, and build responsible, sustainable and resilient organisations that thrive and succeed.

Our network

We’re the collaborators, the co-ordinators, the conveners, and you will find us bringing together our global community to drive our industry forward and create a more secure digital future. We invest 1,100 days of research each year and engage proactively to ensure our insights and vision deliver the best societal outcomes, bringing partners together in support of our clients as well as policymakers and regulators to help shape future cyber policy.

Shareholders

We have a dedicated Investor Relations programme providing shareholders and financial analysts with regular updates on our performance. Engagement activities include results presentations, roadshows with the CEO and CFO, Capital Markets events, site visits, RNS and email updates. Read more on stakeholder engagement on pages 14 and 15.

Two distinct businesses

INSIGHT
INTELLIGENCE
INNOVATION
Establish legal right
Knowledge transfer
Deposit
Manage
Scenario test
Secure storage
Release
Strategic report

Intensifying regulatory momentum versus a worldwide shortage of qualified talent

Market outlook

The environment in which NCC Group operates is shaped by a complex interplay of macro-economic, geopolitical and technological forces. We remain confident our transformation strategy will deliver growth underpinned by the range of services, geographic coverage, and breadth and depth of offering.

Cautious client behaviour and the lengthening sales and onboarding cycles reported in December 2024 have impacted our first half results. This is also against a backdrop of macro-economic uncertainty, IT and security budgets being under scrutiny and competitive pricing.

We continue to see cyber resilience elevated as a core business risk agenda item to the C-suite as opposed to a purely IT consideration. Cyber continues to be elevated as a core business risk for boards, as opposed to just an IT consideration. This pivot is most evident in highly regulated verticals – financial services, healthcare, government and critical infrastructure – where regulatory scrutiny and heightened director liability is driving materially larger, multi-year security programmes. Within Operational Technology (OT) in particular, full risk reviews and resilience roadmaps are being commissioned as the potential business interruption cost of an OT outage becomes clearer. Our global delivery model ensures that these international operators can obtain expert support around the clock, irrespective of time zone or geography. Strategically, our global delivery engine is a differentiated and scalable service that enables us to be competitive.

Ransomware remains widespread and we have seen a marked uplift in AI-enabled phishing and double extortion campaigns, including the more recent high profile retail sector cases in the UK. This evolving threat landscape is leading organisations to favour Managed (Extended) Detection and Response (MDR/MXDR) solutions that provide continuous monitoring across endpoint, cloud, identity and OT telemetry. In addition, businesses are requesting OT-specific MDR to counter the increase in attacks against industrial control environments.

NCC Group named ‘Strong Performer’ in the 2025 Forrester assessment of European MDR providers: tinyurl.com/5n8rc9uc

Regulatory momentum intensified across all our core territories and key customer verticals. The EU Cyber Resilience Act and UK’s software and AI security Codes of Practice will drive secure-by-design requirements up the supply chain, while NIS2, DORA and sector-specific mandates in energy and transport expand the range of organisations that must evidence robust cyber controls and incident-reporting disciplines. These developments are complemented by comparable moves in the US and APAC, signalling a global consensus for higher standards.

Read our leading Global Cyber Policy Radar: tinyurl.com/522my5vc

Demand for strategic advisory and independent validation against these emerging frameworks is fuelling growth in our consulting and assurance work across OT environments and heavily regulated industries. NCC Group’s recognised contribution to the UK government’s cyber resilience initiatives underpins our reputation as a leading provider of regulatory advisory and assurance services. The UK Government’s Industrial Strategy calls out NCC Group as a company exporting world-leading cyber solutions: tinyurl.com/yefadasr

The worldwide shortfall in qualified cyber security professionals continues to become more acute. This structural gap is most evident in highly specialised skills, including advanced testing, OT and Identity and Access Management disciplines. This is expected to drive outsourcing to third party Cyber Security services. Clients are relying on our global delivery hubs to ensure around-the-clock expert coverage without inflating their cost base as a cost of employment. Additionally, the strong reputation that we have among cyber professionals positions us to attract talent more easily than our competitors, with our academy/training ability allowing us to further expand and strengthen this talent base.

Hybrid working and personal device policies have shifted the security perimeter from the edge of the Enterprise network to the user and their devices. Identity and Access Management and Zero-Trust architectures are consequently commanding a growing share of security budgets. This is further driven by requirements to demonstrate granular access controls under NIS2 and other critical infrastructure regulations. Our dedicated Digital Identity service is supporting clients through this transition, covering strategy, implementation and day-to-day identity operations.

Global market trends, threats and opportunities

OT/IT Cyber Safety Webinar series

Between December 2024 and February 2025, NCC Group’s OT/IT Cyber Safety Webinar series explored the critical intersection of IT and OT cyber security convergence and the safety considerations in industrial environments, addressing the unique challenges and opportunities that arise when legacy operational technologies meet modern digital systems amid rising cyber threats.

Watch our YouTube video series here: tinyurl.com/4c6s96tm

Lastly, the attack surface is expanding, with cloud migrations accelerating, SaaS proliferation and AI adoption continuing, and early discussions ongoing regarding the implications of quantum computing. Each new platform expands the potential for malicious attacks and reinforces the need for security to be embedded earlier into development pipelines. Demand is therefore rising for secure-by-design assessments, supply chain software assurance and MXDR coverage that spans traditional IT, cloud and OT environments. The breadth of clients we serve across industries, geographies and IT and OT environments has allowed us to build unique IP to help clients secure this expanding attack surface.

NCC Group’s 1000+ respondent survey reveals the critical issues driving supply chain security in 2025

45% experienced a cyber security breach in the prior 12 months
68% of organisations expect the severity and scale of supply chain attacks to escalate further
59% were concerned about visibility over their supply chain

Read more: www.nccgroup.com/the-state-of-supply-chain-security

The NCC Group Cyber Security regulations maturity curve

Key	2018	2019	2020	2021	2022	2023	2024	2025
WannaCry
NotPetya
Political recognition of market failure in Cyber Security
Period of heightened legislative and regulatory activity to “make up for lost ground”
Commencement of enforcement actions
Inflection point: the future trajectory is yet to be set in stone
Legislative intervention
Scattered Spider
Synnovis
EU NIS
EU GDPR
Australia Security of Critical Infrastructure Act
Singapore Cybersecurity Act
EU Cybersecurity Act
UK Product Security and Telecoms Infrastructure Act
US sector regulations
UK Telecoms Security Act
EU NIS2
EU Cyber Resilience Act
Australia Cybersecurity Act
UK Cyber Security and Resilience Bill
Regulatory settlement or equilibrium as cyber rules reach saturation, and increased mandated baseline forms part of “cyber toolbox” in 21st century
Continued increase of volume of cyber rules and regulations, e.g. ransomware payment bans, mandating Cyber Essentials, etc.
Reduction in regulatory requirements in the name of growth, competitiveness and innovation

© 2025 NCC Group. All rights reserved. Please see www.nccgroup.com for further details. No reproduction is permitted in whole or part without written permission of NCC Group. This content is for general purposes only and should not be used as a substitute for consultation with professional advisers.

NCC Group plc — Annual report and accounts for the year ended 30 September 2025

11

A range of services and geographies and breadth of offering

Our strategy

| Strategic priority | Progress in FY25 | Future outlook # STRATEGIC REPORT

NCC Group plc — Annual report and accounts for the year ended 30 September 2025

13 Stakeholder engagement

Colleagues

We are a people-powered, tech-enabled business. Our colleagues worldwide all play a vital role in creating a more secure digital future. Their expertise, commitment and innovation drive our success.

The opportunity

We’re committed to creating an environment where every colleague can thrive and contribute meaningfully. This means:

Every colleague understands their impact and is connected to our commercial success
Managers invest time in their people, offering tailored support, coaching and feedback to further unlock potential
Colleagues have resources and opportunities to succeed and grow
Expectations are clear and fair, supported by structured performance management

How we listen and engage

Strong engagement underpins our inclusive, high performance culture. Listening and acting on feedback is central to how we operate.

We enable regular, structured dialogue at all levels, from team huddles to global townhalls
Managers play a pivotal role in engagement, dedicating time to understand strengths, support growth and drive performance
Internal news platforms and collaboration tools keep colleagues informed, connected and able to contribute in real time
We gather feedback through pulse surveys, listening sessions and feedback loops to shape policies and programmes

Highlights in 2024/25

Made people operations seamless: Unified global processes and automated over 220 workflows to make it easier and faster for colleagues to get support
Accelerated leadership growth: Equipped senior and people leaders with targeted development to boost performance and leadership maturity
Built talent foundations: Rolled out consistent job levels with enhanced clarity around expectations for each level of role, and designed new frameworks to support internal mobility

Clients

Rooted in our sector knowledge, we develop solutions tailored to the unique needs of our clients. Bringing our in-depth understanding of the threat and regulatory landscape, we assist our clients in addressing their complex cyber security challenges.

The opportunity

Shift the transactional business to a subscription model, enabling sales teams to prioritise long-term client value and deeper engagement over short-term outcomes
Refresh the go-to-market portfolio to better meet customer needs, enhance solution relevance and drive stronger business impact
Leverage our expertise in AI and language models to support customers in their integration journeys
Utilise our world-class Managed Services capabilities to enhance customers’ visibility and control over their assets and data

How we listen and engage

Through an integrated account management strategy and value-driven quarterly business reviews
Client satisfaction surveys and a formal global process are used to capture client feedback, ensuring a closed-loop response

Highlights in 2024/25

Established a new global and regional leadership team to drive effective strategy implementation
Launched new Cyber Security business branding, strengthening market recognition and reinforcing our position as a trusted partner in Cyber Security
Introduced new Managed Services branding (iMXDR) and refreshed proposition, with an updated go-to-market strategy that differentiates us in the market
Reviewed and redesigned data, processes and tools to improve internal insight, streamline operations and enable faster mobilisation at enhanced margins

Suppliers

We engage with many different suppliers across our global business and value the critical role our supply chain plays in supporting responsible business operations. Our procurement operations are maturing in line with industry best practice and we proactively work with an optimised supply chain network to drive competitive advantage through accessing innovation, delivering commercial value and managing risk.

The opportunity

Long-term trusted partnerships, facilitating sustainable operating cost reduction and cost of sale margin improvement
Fit for purpose contracts and payment terms, ensuring a safe, compliant and responsible supply chain with suppliers delivering to required service levels and protecting NCC Group from long-term commercial inflation

How we listen and engage

Regular joint business reviews held with key suppliers to mutually understand strategy and future forecasting
Supplier due diligence completed at onboarding

Highlights in 2024/25

Implemented Workday Strategic Sourcing to centralise investment requests
Introduced Investment Control Board (ICB) weekly review to understand and challenge investment requests to ensure either enabling revenue or reducing cost
New global procurement strategy launched to enable revenue, control costs and manage risk
Launch of new travel supplier to improve colleague experience and safety, reduce costs and accommodate diverse requirements
Investment in a transactional team based in Manila to develop into Purchase to Pay (P2P) specialists, collaborating with finance to drive supplier payments on time and improve the supplier experience, releasing working capital down the supply chain

Public Sector

Our expertise plays a pivotal role in shaping evidence-based policy decisions and convening the cyber community. We proactively engage, contribute to public-private partnerships and harness our experience and insights to contribute meaningfully towards a more secure digital society.

The opportunity

Building on our technology heritage and our role as a trusted advisor to governments and regulators we provide independent, technical expertise to improve cyber resilience policies
By understanding and shaping new and emerging regulations and policy proposals we can develop the right solutions to prepare for our clients’ future needs and requirements

How we listen and engage

Building alliances with global think tanks and foundations, public- private partnerships, trade associations and campaign groups to pool resources, amplify our messages and maximise impact
Strategic relationships with national technical authorities, and support for government initiatives across all our regions through direct engagement
Representation on senior government and parliamentary advisory panels

Highlights in 2024/25

Cited in the UK government’s Industrial Strategy for cyber industry growth and chosen for cyber resilience at the 2025 NATO Summit
Recognised as a key convener of the UK cyber community through collaboration with the National Cyber Security Centre and contributing to Project Melissa – a leading public-private partnership in the Netherlands to combat ransomware threats in Europe
Published the Global Cyber Policy Radar Report, providing insights on global cyber regulations
Influenced global cyber policy by speaking at top conferences and briefing EU leaders and providing evidence to UK parliament on public-private partnerships

Shareholders

We are committed to engaging with our shareholders, creating an opportunity to understand our business, the market, how we are responding and the opportunity to deliver sustainable growth.

The opportunity

Financial performance
Dividend
Responsible long-term sustainable strategy
Sound corporate governance and stewardship

How we listen and engage

Strategic and financial updates issued via RNS Reach and RNS respectively
Regular meetings with investor relations, management and Board members
Investor roadshows after the full and half-year results
Open-door policy with investors and analysts (taking into account “offer period” restrictions and protocols)
AGM

Highlights in 2024/25

Hosted a live in-person Capital Market event to help investors and financial analysts understand what happens in a cyber attack and how to respond
Completed the disposal of Fox Crypto B.V. for total gross consideration of £65.6m to CR Group Nordic AB
Marked 20 consecutive years of dividend payments for shareholders
Announced a share buy-back programme

NCC Group plc — Annual report and accounts for the year ended 30 September 2025

15 People led, technology enabled

A resilient future

We strive for a resilient future through sustainable business practices, and take responsibility for identifying and managing the impact we have on people and the planet.# Sustainability

Responsible business

Priorities

Strong governance and ethical standards
Leading cyber resilience and data protection standards
Stakeholder collaboration
Responsible employer and supply chain partner
Optimise talent
Enhance colleague experience
Build an inclusive culture
Develop sustainable solutions
Decarbonise energy use
Support the net zero transition

Our sustainability strategy: People-led, technology-enabled

We can only lead with our purpose through our greatest asset, the exceptional people we employ. They are at the forefront of our industry, developing solutions that protect our clients and society from the growing threat of cyber crime.

Responsible business

Our desire to improve the world we live in is encapsulated in our purpose. Embedding responsible business into our everyday activities is central to achieving this aim.

Action on climate

Taking urgent action to combat climate change and its impacts supports our purpose. Decarbonising our business and embedding climate considerations into our commercial offering are crucial elements in our support for the net zero transition.

Read our Sustainability Report: nccgroupplc.com/sustainability

NCC Group plc — Annual report and accounts for the year ended 30 September 2025
16

2024/25 highlights

Enhanced our colleague benefits, including the launch of an improved Employee Assistance Programme in Europe.
Published our draft Carbon Reduction Plan and launched our verified Carbon Literacy Training programme.
Successful migration of Fox-IT onto the NCC Group certification for ISO 9001:2015 and ISO 27001:2022, resulting in a reduction of overall costs and consistent ways of working.

Why sustainability matters

Sustainability is about doing the right thing in the right way, and this is reflected in our Code of Ethics and embedded into our everyday ways of working. It’s important to our clients, who trust us to help secure their digital assets; it’s important to our colleagues, who are critical to the value we bring to our clients; and it’s important to our shareholders, who entrust their investments to NCC Group, relying on us to deliver returns to their shareholders. It also matters to our political stakeholders who turn to us for trusted and independent advice and insights that improve cyber rules and regulations around the world.

We live in a rapidly evolving digital world, where the concept of sustainability extends to how we operate in totality. Not only are we supporting our clients to meet their governance requirements through our cyber security and escrow solutions, we are also helping to advance technologies that are at the forefront of fighting climate change, as well as other UN Sustainable Development Goals. This means systems, networks and infrastructures need to be resilient, secure and long lasting.

Cyber Security and sustainability are inherently intertwined, which means cyber threats pose a significant risk not only to individual businesses but to our very way of life too. The decisions we make today have far-reaching implications for the future.

Securing our future

As our lives become more digitally interconnected, the risk landscape broadens. From smart homes to smart cities, from online banking to telehealth services, from power grids to water supplies – they all rely on complex digital infrastructures. If these systems are compromised, the repercussions can be devastating. Hence, securing these infrastructures is an essential part of ensuring a sustainable future.

Our ability to protect against cyber threats, through the work we do for our clients, plays a pivotal role in guaranteeing that our world remains functional, reliable and consistent for generations to come. Indeed, we believe strongly that we can’t build a resilient economy without resilient cyberspace, and we can’t have a resilient cyberspace without 21st century laws and an infrastructure to tackle cyber threats, which is why we share our expertise with policymakers to improve cyber rules and regulations meaningfully.

Our sustainability framework

While the primary focus of our industry has always been about security, we recognise our operations have a broader environmental and societal impact. Our sustainability framework has two core tenets focused on people and the planet, underpinned by being a responsible employer and supply chain partner. This framework is the foundation to start making tangible progress in addressing material topics for our stakeholders. We believe that this is a journey, not a race. We place sustainability at the heart of our strategy – not just securing the digital world, but securing the future for ourselves and for generations to come. We invite our stakeholders to join us, working together to build a future that is not only secure but also sustainable.

If we are to meaningfully reduce our carbon footprint we need to engage our stakeholders in the conversation. Building on our partnership with Positive Planet, and as part of developing our Carbon Reduction Plan, we designed and had certified our own Carbon Literacy Training programme. This certified, one-day programme will enable us to build knowledge around the business of what the climate crisis is, and what we can do individually and collectively to take action to reduce the impact we have. The first cohort of delegates on this course included Lynn Fordham, our Non-Executive Director responsible for Sustainability; Guy Ellis, Chief Financial Officer; and Michelle Van de Velde, Chief People Officer, along with senior members of the procurement, communications and marketing, HR and sales and technical delivery teams. Over 400 colleagues have signed up to undertake the course, and we have developed our own certified in-house training capability to do this.

VIEWPOINT
Strategic report

NCC Group plc — Annual report and accounts for the year ended 30 September 2025
17

Non-financial and sustainability information statement

Sustainability continued

View our Sustainability Report: nccgroupplc.com

The following table provides readers with an index of where to further find relevant non-financial information within this Annual Report and Accounts, in line with the Financial Reporting Directive requirements contained in sections 414CA and 414CB of the Companies Act. Where relevant, additional information is signposted to further support the requirements. The Group considers that it complies with the disclosure requirements under section 414CB(2A) of the Companies Act 2006 and has included climate-related financial disclosures that are partially consistent with the TCFD recommendations.

Reporting topic	Policies and standards which govern our approach	Annual Report and Accounts section reference	Page	Website resources
Climate-related disclosures	• Environmental policy	• Sustainability Report	22	• Sustainability Report • TCFD Report • Risk Management • Stakeholder Engagement
	• Sustainability Report	• Streamlined Energy and Carbon Report	29
Colleagues	• Whistleblowing policy	• Code of Ethics	14	• Sustainability Report • Stakeholder Engagement • Remuneration Committee Report • Culture
	• Disciplinary Policy	• Grievance Policy	81
	• Sustainability Report	• Stakeholder Engagement	19
Social and community matters	• Modern Slavery Statement	• Code of Ethics	14	• Sustainability Report • Stakeholder Engagement
	• Supply chain Code of Conduct	• Giving back policy
	• Matched funding policy	• Sustainability Report
	• Sustainability Report	• Stakeholder Engagement
Respect for human rights	• Modern Slavery Statement	• Data privacy policy	14	• Sustainability Report • Stakeholder Engagement • Culture
	• Global equal opportunities and diversity policy	• Sustainability Report	19
	• Sustainability Report	• Stakeholder Engagement
Anti-bribery and corruption	• Anti-bribery and corruption policy	• Gifts and entertainment policy		• Sustainability Report • Audit Committee Report
	• Sustainability Report	• Audit Committee Report	71

For information on our business model please see pages 8 and 9
For full details of the Group’s principal risks see pages 29 to 37

NCC Group plc — Annual report and accounts for the year ended 30 September 2025
18

Our people

At NCC Group we embrace difference and are connected by our purpose to create a more secure digital future. Across our global operations we form a phenomenal network, working together, collaborating and innovating to support our clients. We are guided by our Code of Ethics and our values, which define our behaviours – treating everyone and everything with respect. This is the foundation of our culture, and we strive to create an environment where everyone is welcome, feels safe and can be successful.

Progress in 2024/25

Continued investment in leadership and management development with leadership development rolled out across the organisation, and additional manager-focused development sessions
Enhanced our colleague benefits, including the launch of an improved Employee Assistance Programme in Europe
Enhanced focus on actions resulting from colleague engagement survey feedback

A global team

As of 30 September 2025, we have 2,073 colleagues (including contractors) across the world supporting our clients, made of three core groups – Sales, Delivery and Enabling Functions. Circa 98% of colleagues are permanent and the remainder are contractors to provide support on projects.

People-powered, technology-enabled

We want everyone here to feel safe – psychologically, emotionally and physically – so they can be themselves, share their experiences and have equal opportunities to succeed. Our team reflects the diversity of the world around us, and this is how we live our values: working together and being brilliant.

Our approach to diversity, equity and inclusion (DE&I)

We acknowledge our opportunities to contribute to diversity in the technology sector, with inclusion and diversity principles incorporated into our hiring and talent management processes.# Strategic report

Talent development

Innovation and continuous learning are central to NCC Group’s culture, supported by investments in skill development and leadership growth, fostering personal and professional development through structured programmes and new digital platforms to enhance colleague capabilities globally. We combine on-the-job learning, mentoring, self-study and formal training with personal development plans, supporting colleagues to gain certifications and advance their careers.

In England, we leverage the Modern Apprenticeship Levy, with 4.3% of our colleague population undertaking apprenticeship learning – an increase of 60% of eligible colleagues year on year. FY25 was the first year we partnered with Co-op Levy Share to donate our excess levy funds, pledging £150k over the next two to three years. Currently, we’re supporting eight UK employers and 21 learners, with donations to date totalling £27k.

We continued to invest in our leadership and management populations, and by June 2025 had delivered Enabling Performance, our Leadership programme, to 75 leaders and managers across the Group, including 73% of our senior leaders. Throughout FY26/FY27 we plan to upskill specific leaders and people team colleagues to enable us to roll out this programme across the remainder of the senior leaders and our middle manager population.

Talent development continued

In October 2024, we launched our Skills Boost series, available to all leaders and managers globally. These 90-minute, virtual sessions focus on key leadership skill areas, e.g. effective performance management, leading cross-culturally, and leading through change. Where relevant, we replicated models from Enabling Performance, e.g. clean talk for difficult conversations and the GROW model for coaching. In FY25, we delivered 66 sessions across six key skill areas, with 943 individual attendances, and circa 40% of leaders and managers regularly attending sessions. Across all sessions, feedback is collected via an online form, including an NPS-specific question: “Would you recommend this session to your colleagues at NCC Group?” All sessions secured an “excellent” (+70–100) NPS score.

In July 2025 we launched our Compass Management Development programme, leveraging Saville leadership profiling to offer a dedicated learning pathway focused on self-awareness through a series of virtual and face-to-face workshops building leadership capability, supplemented by group coaching and mentoring to enable colleagues to embed their learning into their day-to-day roles. Workshops are delivered in concentrated cohorts of 12–15 delegates to facilitate a semi-personalised programme and are available to colleagues in people manager roles with less than two years’ experience. Following the launch in the final quarter of FY25 we engaged 25 attendees across two cohorts.

We launched our first Learning Experience Platform, Spark, in April 2025, and while it’s still being embedded, 93% of colleagues have engaged with content on the platform to date.

In FY25 we facilitated a talent review to identify potential successors to the Executive Committee. The five leaders identified worked with our partner, Saville Assessment, completing Saville Wave and 360 Leadership Impact assessments, and creating a talent profile outlining their strengths and areas for development. They will be supported on their development, with regular one-to-one meetings with their Executive Committee member and Talent Development partner to discuss progress. To date, two of the five leaders have advanced into more senior roles, with one joining the Executive Committee.

Engagement

We have several mechanisms to measure colleague engagement (see page 14), including MyVoice, our biannual engagement survey using the Viva Glint platform. In our March 2025 survey, 1,489 colleagues responded, an increase in our engagement score of two points from March 2024. In addition to the survey, Senior Non-Executive Director Julie Chakraverty hosts quarterly Colleague Listening Sessions, ensuring the Board has a direct link to colleagues and decision making takes into account their voices. In FY25, over 80 colleagues met with Julie, who in turn reported feedback to the Board.

Speaking up

Colleagues have a number of opportunities to speak up – sharing feedback or raising concerns. A global Speak Up framework outlines channels and resources available for doing this, guidance on who to engage with on different types of feedback, and how to ensure confidentiality. A whistleblowing helpline and policy are also available – the policy is published in multiple languages on our website. This ensures colleagues are encouraged to speak up, safe from fear of reprisals, and with the reassurance that any concerns will be listened to and acted on appropriately.

Sustainability continued

Enhancing the colleague experience through competitive reward and wellbeing propositions

Each country we operate in has its own prevailing market conditions, and as such we align our benefit and wellbeing propositions locally, while ensuring they are competitively benchmarked, enabling us to retain and attract the best talent. Our Global Benefits Strategy focuses on four key pillars aligned with colleague feedback and global best practice:

Continually reviewing our reward offering in each country ensures we retain and attract the best talent. In FY25, we built on our reward offering to remain competitive, including:

In Canada we changed the pension provider, with lower management fees, which means greater levels of investment for colleagues.
In Manila, we launched our Philippines Share Plan to all colleagues post-probation and expanded our medical offering to dependants, helping to retain and attract colleagues in a competitive marketplace.
Across Europe, we enhanced our Employee Assistance Programmes, providing enhanced health and wellbeing support to all.
In the UK we rolled out our health cash plan, providing all colleagues with financial support to access dental, optical and medical treatments.

Finance and protection

We understand the importance of financial stability benefits to support colleagues when making choices about their and their families’ current and future financial status.

Investment and savings

Our strategy supports colleagues in planning for the future, enabling them through different investment options to strengthen their financial wellbeing.

Health and wellbeing

We’re committed to fostering a culture of wellness by offering preventative and supportive resources, programmes and initiatives that promote healthy lifestyles, family-work-life balance, and stress management.

Lifestyle and flexibility

We recognise the importance of maintaining a healthy work-life balance and offer flexible work arrangements, paid time off and family friendly policies.

To find out more about our support of colleagues, please see our sustainability strategy on page 16

Action on climate

We’re committed to taking proportionate climate action as a responsible employer, a trusted supply chain partner, and a business focused on long-term value creation for all stakeholders.

Progress in 2024/25

Published our draft Carbon Reduction Plan
Working with Positive Planet, designed and launched NCC Group’s own certified Carbon Literacy Training programme and launched annual and onboarding mandatory climate action training for all colleagues
Partnered with Climategames to fund climate action projects through our wellbeing initiatives

In addition to our support of the net zero transition (read more on our sustainability strategy at nccgroupplc.com/sustainability), our action on climate has three pillars, starting with our own operations and extending to the support we give to clients operating in the energy transition sector and the contribution we make to their endeavours:

Supporting the net zero transition
Decarbonising energy use
Developing sustainable solutions

The biggest impact occurs in our business travel, both for client and non-client related travel, and our leased office spaces and is the focus for our reporting.

Decarbonising energy use

Our total annual Scope 1 and 2 emissions associated with our business operations were 1,232 tCO 2 e for our full year 2025. See page 28 for further detail.We continue to review our leased office space requirements, considering client and colleague needs. Considerations are given to collaboration, health and safety, personal wellbeing and the impact emissions have on the environment. This includes taking into consideration commuting for colleagues and the accessibility of public transport networks. We review office usage monthly as part of the executive team operations review, which, alongside colleague feedback and engagement, and consideration of client needs, informs the real estate strategy. On travel, all colleagues are required to book through our travel partner, Gray Dawes. This provides us with global tracking and improves our data collection for emissions as well as improving how we respond to any social or climate-related issues that colleagues may face. Domestic flights within the UK and European countries are by exception only, with rail travel the preferred option. As a result, any train journey more than three hours in duration in total is travelled by first class to ensure the health, safety and wellbeing of colleagues.

Climategames partnership

During the financial year, we partnered with Climategames, bringing both wellbeing and climate action together to engage colleagues and give back. We chose to invest in two projects – a sea kelp forestation initiative off the coast of British Columbia, and a social enterprise in Asia, including the Philippines, that prevents plastic from entering the ocean in the first place. In the initial launch during the summer of 2025 we funded the equivalent of planting 1,020 trees and removing 16.1kg of plastic from the ocean. Financial donations are made in return for colleagues taking part in physical challenges – from Group activities to local and team-based events. This is a great way to engage colleagues in our climate action activities as well as facilitating wellbeing conversations.

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 21

Strategic report

In alignment with the UK Listing Rules, which mandates climate-related disclosure for all UK listed companies, we have produced a comprehensive TCFD Report. Our report covers the four pillars recommended by TCFD: governance, strategy, risk management and metrics/targets, and the 11 disclosures recommended by TCFD except as noted below. To ensure consistency across our report, we adhered to section C of the TCFD Annex, titled “Guidance for All Sectors”. As a result the following are documented as partially consistent, with further detail available within this report:

Strategy B and C – these disclosures have not been fully met due to prioritising drafting our Carbon Reduction Plan, which will use FY25 as our baseline year to enable reduction targets aligned to science-based targets.

Our assessments indicate a low risk of exposure to physical and transitional climate changes, thanks to our business model. However, we acknowledge the high importance of mitigating greenhouse gas emissions, which emerged as a priority from stakeholder feedback as part of our “ongoing assessment” of double materiality in accordance with European Sustainability Reporting Standards. In FY25 we appointed a new partner – Positive Planet – to support the design and publication of our global Carbon Reduction Plan and to calculate and verify our GHG emissions. We recognise the considerable opportunities presented by the growing climate-focused market. Our collaborations with clients in industries such as electric vehicles, renewable energy, Operational Technology and other climate-friendly technologies underscore our readiness to seize these opportunities for sustainable growth.

Task Force on Climate-related Financial Disclosures (TCFD)

Governance

| TCFD recommended disclosure | Consistency | NCC Group disclosure
| Focus area of FY26 |
| :------------------- |
| A. Describe the Board’s oversight of climate- related risk and opportunities | Consistent | • The Board’s Head of the Audit Committee is the lead Non-Executive Director responsible for sustainability. Monthly updates are provided via the CFO report to the Board as well as directly from quarterly meetings with the VP, Investor Relations and Sustainability and the lead NED, including an update on progress against the Group’s goals and targets where appropriate • The Board takes overall accountability for the management of climate-related risks and opportunities and considers them as part of its overall risk review processes • Introduce reporting aligned to the Carbon Reduction Plan targets to reflect, discuss and ensure actions are being taken |
| B. Describe the management’s role in assessing and managing climate-related risks and opportunities | Consistent | • The VP, Investor Relations and Sustainability reports to the Chief Financial Officer, providing advice and updates to the Executive Committee on climate- related issues as and when relevant • An Executive Risk Management (ERM) Committee meets quarterly and addresses any climate risks as part of that process where appropriate • Roll out Climate Literacy Training to all ExCom members and senior leaders during FY26 • Continue to embed climate action into key business decisions • Assign accountabilities and track progress resulting from the Carbon Reduction Plan |

Lynn Fordham, the lead Non-Executive Director for Sustainability, was appointed by the NCC Group Board Chair. In addition to her position as the Head of the Audit Committee, Lynn’s role is to oversee the Company’s sustainability strategy, ensure its integration with the overall business strategy and provide regular sustainability updates to the Board. While there is no specific Board committee for environmental issues, an Executive Risk Management (ERM) Committee chaired by the SVP, Global Governance, Procurement and Estates addresses these issues. The ERM meets bi-monthly and is attended by our CEO and CFO. It discusses, among other risks, sustainability and environmental challenges where relevant, which are then reported to the Board. The results from our ongoing double-materiality assessment continue to inform our sustainability framework. With the changes in requirements for CSRD and the fact our business operations are not in scope for the foreseeable future, we do not intend to report voluntarily against the standards. We will continue to review and assess to ensure we can bid competitively for work within Europe. The Board is committed to communicating its dedication to addressing climate change. By way of example Lynn Fordham along with Guy Ellis, CFO, attended NCC Group’s inaugural Carbon Literacy Training and received their certification in August 2025. They continue to champion training and action in their respective roles.

Sustainability continued

NCC Group plc — Annual report and accounts for the year ended 30 September 202522

Strategy

| TCFD recommended disclosure | Consistency | NCC Group disclosure A. Describe the climate-related risks and opportunities the organisation has identified over the short, medium and long term | Consistent | • See the tables below and on page 24 describing risks and opportunities, which were selected based on the location of our existing business and known climate change risks affecting the broader region we operate in • Monitor actions arising from the risk register |
| B. Describe the impact of climate‑related risks and opportunities on the organisation’s business strategy and financial planning | Partially consistent | • Climate-related taxes, or fines for non-compliance, could impact the business if we fail to take action • Our ability to raise capital to invest in growth may be restricted if we fail to make progress on climate- related action, if this is a requirement of any future sustainable lending requirements • Assess financial implications of climate scenarios in our financial planning |
| C. Describe the resilience of the organisation’s strategy, taking into consideration different climate-related scenarios, including a 2°C or lower scenario | Partially consistent | • We have conducted an initial quantitative analysis against two scenarios of 1.5°C and 4°C • Develop initial scenario analysis and integrate into NCC Group’s strategy development through implementation of the Carbon Reduction Plan |

Our focus is not limited to risk mitigation but extends to exploring opportunities where we can make a positive impact. This includes improving the energy efficiency of our operations, collaborating with our landlords and requesting renewable energy sources, and identifying ways our technology solutions can contribute to our clients’ sustainability efforts. As we continue our climate change journey, we are committed to regularly reporting our progress against these objectives, showing transparency in our endeavours, and constantly seeking ways to better our efforts.

Climate-related risks

Our comprehensive risk management framework (summarised in the Risk Management section of the Annual Report on pages 29 to 37) is instrumental in identifying and assessing climate-related risks. We categorise these risks into:

Short term (less than one year) – based on short-term regulatory or policy changes impacting climate-related risks and opportunities as well as existing forecasting processes considered by management which are reviewed and evaluated on an annual basis
Medium term (one to five years) – based on regulatory changes that may affect climate-related risks and opportunities
Long term (more than five years) – based on the likely timeline of international agreements and commitments, technological trends and changes to policy or carbon pricing and their impact on our operations, client services and supply chain

For instance, short-term risks might include immediate regulatory changes or extreme weather events, while long-term risks could be major shifts in our industry driven by the transition to a low carbon economy.# Sustainability continued

Risk

Each identified risk is paired with corresponding mitigation measures, such as implementing energy-efficient technologies or diversifying our supply chain, aimed to reduce our vulnerability. It’s critical that we remain flexible in our approach but focused on taking responsibility for the emissions we generate and seek to reduce what we can control. While these risks apply to the Group as a whole, we do recognise that certain locations face unique challenges. For example, our operations in coastal areas are more susceptible to rising sea levels and increased frequency of extreme weather events. For a more detailed understanding of the climate-related risks and opportunities we face, please refer to the table below. It provides a snapshot of the specific challenges we’re addressing and the strategic responses we have undertaken.

| Risk | Risk impact | Short/medium/ long term | Regions impacted | Mitigating activities |
| --- | --- | --- | --- |
| Physical risks | | | | |
| Extreme weather (acute) | Causing business disruption and loss of service delivery if colleagues or clients are impacted adversely, which would in turn potentially impactrevenue | Short to medium term | All but particularly Europe (Rijswijkand Amsterdam) | • Business interruption cover
• Business continuity plans
• Remote working in place
• Dutch flood defences in place |
| Sea level rises (chronic) | Increased likelihood of flooding in Delftand Amsterdam offices causing increased insurance premiums to mitigate against business interruption and material loss | Long term | Europe – Rijswijkand Amsterdam offices | |
| Transition risks | | | | |
| Increase in taxes and levies for greenhouse gas emissions | Increased costs to implement control and monitor/measurement processes as well as actual cost of taxes andlevies | Medium term | Depends onlocal legislation | • Implement actions identified in our Carbon Reduction Plan and monitor |
| Move to net zero | Increased costs required to loweremissions | Long term | Global | • Remote delivery of client services where possible
• Green car scheme for UK colleagues
• Annual calculation of Scope 1 and 2 emissions and a Carbon Reduction Plan in place
• Rigorous and transparent budget setting will identify increasing costs associated with carbon emissions reduction |
| Margin risk | Impact on results due to extra costs incurred tolower emissions | Medium term | Global | • Accounting policies regularly reviewed
• Rigorous and transparent budget setting will identify increasing costs associated with carbon emissions reduction |
| Reputation risk | Increased stakeholder concern and changing client behaviours | Medium term | Global | • Rolling out Carbon Literacy Training to colleagues, starting with key decision makers and senior client-facing colleagues to empower them to engagein the conversation
• Ongoing dialogue with investors
• Participation in reporting frameworks such asCDP, EcoVadis, FTSE4Good, etc.
• ESG information publicly available |
| Supply chain risk | Substitution of existing products and services with lower emission options | Medium to long term | Global | • Building climate change reporting andactivity intosupplier onboarding
• Business continuity plans
• Continuing to review our estate provision and taking steps to move outof leases where there isno client orbusiness benefit to being there
• Implementation of our estates policy, which incorporates environment considerations alongside the health, safety and security ofcolleagues |

TCFD continued

Climate-related risks continued

Resource efficiency: By embracing more efficient modes of transport, promoting recycling, encouraging hybrid working models and operating within efficient buildings, we can lessen our environmental footprint, improve colleague satisfaction and reduce operational costs. For instance, removing unnecessary travel not only reduces our carbon emissions but also empowers colleagues with more control over their work-life balance, contributing to improved morale and productivity (anticipated medium to long-term benefits).

Energy source: Our transition to lower emission energy sources, underpinned by our electric/hybrid car scheme for all UK colleagues, demonstrates our commitment to sustainable practices. By giving colleagues access to green car options, we are mitigating our exposure to future fossil fuel price fluctuations and regulations. It also addresses our colleagues’ material concerns, fostering a culture of environmental responsibility and enhancing overall job satisfaction (medium to long-term impact).

Market: As industries evolve in response to climate change, we’re strategically positioned to leverage these transformations. For example, by partnering with companies transitioning to alternative energy sources or working on projects involving smart meters, electric vehicles, IoT technology for waste reduction and cloud data centres, weanticipate strengthening our market position and enhancing our reputation as a sustainable and innovative enterprise (short to medium-term outlook).

Resilience: Our sustainable business model increases our resilience toclimate-related risks, demonstrating our commitment to being a responsible and ethical supply chain partner. This commitment to sustainability not only aligns us with an increasingly eco-aware market but also empowers us to lead in the space, fostering a culture of innovation and responsible business practices (short to long-termperspective).

Scenario analysis

To understand the risks and opportunities our business faces considering climate change, we conducted a quantitative scenario analysis using two distinct scenarios: a “<2°C” scenario (“Scenario 1”), where global warming is limited to less than 2°C with net zero achieved by 2050, and a “4°C” scenario (“Scenario 2”), where the goal of net zero by 2050 is not reached. A summary of the scenarios selected isprovided in the diagram below. These scenarios are chosen to reflect the diverse spectrum of possibilities that could unfold due to different levels of global effort to curb climate change. In the context of these scenarios, “transition risks” refer to the challenges associated with the shift towards a lower carbon economy, while “physical risks” denote the potential damage caused by climate change itself. In terms of the risks selected, these were based on physical locations and the nature of our business in key locations of North America, the UK, Europe and Asia Pacific. We are in the process of flowing this into our financial planning and will continue to do so as we mature our climate action planning and reporting.

Under Scenario 1, we anticipate higher transition risks due to rapid shifts in regulatory and market conditions, but the physical risks would be significantly reduced due to the effective global action on climate change. Conversely, Scenario 2 predicts lower transition risks but considerably higher physical risks due to the lack of substantial progress towards climate goals. We’ve further broken down these risks by timeline, classifying them asshort term (less than one year), medium term (one to five years) andlong term (more than five years). The table below offers a comprehensive overview of NCC Group’s potential exposure to both transition and physical risks under each scenario. While our current analysis is qualitative, we are working towards quantifying these risks and opportunities as we progress towards our net zero targets and continually improve our data collection across Scope 1, 2 and 3 emissions. At this point, we don’t foresee a significant impact on our Financial Statement disclosures based on our materiality assessment results and known near to mid-term regulatory developments. However, we will continuously monitor both transition and physical risks, adjusting our mitigation strategy as necessary.

Risk type	Risk	Risk impact	Short-term risk (<1 year 2025)	Medium-term risk (1–5 years 2026 to 2031)	Long-term risk (>5 years 2031)
Physical risk	Rising sea levels	Risk to NCC Group offices located in high risk areas, as well as colleagues’ homes and clients’ business premises, resulting in business disruption	1 Low	Low	High
			2 Low	High	High
Transition risk	Increase in taxes and levies	Disruption and increased coststoensure compliance withnew legislation	1 Low	Medium	High
			2 Low	Low	Low
Margin risk	Impact on results due to extra costs incurred to lower emissions		1 Low	Medium	High
			2 Low	Low	Low
Reputation risk	Increased stakeholder concern and changing client behaviours		1 Medium	High	High
			2 Low	High	High
Supply chain risk	Substitution of existing productsand services with loweremission options		1 Low	Medium	High
			2 Low	Low	High

Financial planning

We recognise the potential implications of climate-related risks and opportunities on our financial planning. We anticipate shifts in our future business model and strategy in response to evolving market conditions due to climate change. We foresee potential changes in client preferences towards more sustainable products and services, along with possible disruptions in our supply chain due to extreme weather events. These factors are thoroughly considered in our business strategy development. Our business strategy has been designed to be resilient to future economic and climate-related scenarios. And by running regular scenarios we can test that resilience and ensure it’s considered in future business strategy development, enabling us to adapt accordingly, without disrupting or negatively impacting currentoperations. The scenarios are based on industry insights, which are used in the expert input into our ongoing materiality assessment. During FY24 we prioritised drafting our Carbon Reduction Plan working with Positive Planet.# Strategic report

NCC Group plc — Annual report and accounts for the year ended 30 September 2025

25 Sustainability continued

TCFD continued

Risk management

TCFD recommended disclosure	Consistency	NCC Group disclosure
A. Describe the organisation’s processes for identifying and assessing climate-related risks	Consistent	• Climate-related risks are managed through our Enterprise Risk Management framework • Monitor actions arising from the risk register
B. Describe the organisation’s processes for managing climate-related risks	Consistent	• Climate-related risks are documented, mitigating actions are considered, a risk rating is assigned and associated actions are documented and followed up • Monitor actions arising from the risk register
C. Describe how processes for identifying, assessing and managing climate-related risks are integrated into the organisation’s overall risk management	Consistent	• Climate-related risks are managed through our Enterprise Risk Management framework • Monitor actions arising from the risk register

How we manage risks

Obtain assurance
Implement internal control
Adapt ERM
Perform scenario analysis
Integrate into reporting
Use existing tools
Solicit investor feedback
Assess financial impacts
Collaborate across the business
Secure leadership buy-in

Audit Committee

Climate-related risks are managed through our NCC Group Enterprise Risk Management (ERM) framework. This framework, which is detailed in the Risk Management section of the Annual Report on page 30, uses a sophisticated risk model to assess and score each risk based on likelihood and impact. Risks are re-evaluated consistently to ensure we’re responsive to evolving circumstances. Our risk management approach combines “top-down strategic” and “bottom-up operational” perspectives, fostering collaboration and promoting efficient risk identification. With respect to climate-related risks, we have outlined our strategies and targets for GHG emissions reduction and biodiversity preservation. These climate-related risks are integrated into our Principal Risks section (pages 29 to 37). The Executive Risk Management Committee plays an active role in the ongoing review of these risks and their mitigations, controls and associated actions. This Committee meets on a regular basis and follows a stringent process for identifying, assessing, responding to and escalating serious concerns related to these risks. We firmly believe that this integrated and transparent approach will ensure effective risk management aligned with the principles of TCFD, while driving our strategic objectives for sustainability.

Establish Committee oversight

Risk Committee

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 26

Metrics and targets

To achieve net zero, we will be aiming to reduce emissions in line with the latest guidance from the Science Based Targets initiative (SBTi). Targets are defined as “science based” when they align with the scale of reductions required to limit global temperature increases to 1.5°C compared to pre-industrial temperatures. Adopting the SBTi framework ensures our decarbonisation efforts are aligned with the latest climate science and global best practices. The SBTi provides a clear, credible pathway for reducing emissions at a pace and scale consistent with limiting global warming to 1.5°C. For the time being our targets will be aligned with SBTi guidance, although we will not be seeking validation at this time. We anticipate reducing our Scope 1, 2 and 3 emissions by 63% by 2035, which will be validated using FY25 as our base year. We will also consider setting an intensity-based Scope 3 target depending on growth targets. An intensity-based target is a commitment to reduce emissions per economic unit or physical unit. We are committed to reach net zero by 2045. Please see our Carbon Reduction Plan for more information www.nccgroupplc.com/sustainability

TCFD recommended disclosure	Consistency	NCC Group disclosure
A. Disclose the metrics used by the organisation to assess climate-related risks and opportunities in line with its strategy and risk management process	Partially consistent	• Reporting of Scope 1, Scope 2 and Scope 3 greenhouse gas emissions for FY25 compared to prior years while taking into account improvements in our methodology • Prioritisation and ownership of Carbon Reduction Plan actions
B. Disclose Scope 1, Scope 2 and, if appropriate, Scope 3 greenhouse gas emissions and the related risks	Partially consistent	• Publication of Scope 1 and 2 GHG emissions for FY25 vs FY24 • Full Scope 3 emissions relevant to our business operations • Review of our data collection in line with the new action areas identified within the Carbon Reduction Plan
C. Describe the targets used by the organisation to manage climate- related risks and opportunities and performance against target	Partially consistent	• Draft Carbon Reduction Plan target to reduce Scope 1 by 63%, Scope 2 by 63% and Scope 3 by 63% by 2035 • Publish the final Carbon Reduction plan using FY25 GHG emissions as the baseline • Validate targets with SBTi

The state of supply chain security

NCC Group thought leadership shows 68% of organisations expect supply chain attacks to grow more severe. Global supply chains are under mounting pressure, suffering a series of high profile breaches in 2025. As the attack surface and threat increases, organisations are complacent and over reliant on compliance frameworks. NCC Group’s ‘State of supply chain security’ report investigated this overlooked area of risk and found deeply concerning evidence of overconfidence, a gap in responsibility and the rising threat posed by artificial intelligence. At NCC Group, we help clients tackle these challenges through expert-led assessments, robust third party risk management, and tailored strategies that embed security across the supply chain, ensuring organisations can operate confidently in an increasingly hostile digital landscape. The full report is available at: www.nccgroup.com/the-state-of-supply-chain-security

VIEWPOINT

Strategic report NCC Group plc — Annual report and accounts for the year ended 30 September 2025 27

Streamlined Energy and Carbon Reporting (SECR)

The period under review is from 1 October 2024 to 30 September 2025 and the reporting boundary includes the full Group. Emissions are calculated in line with the GHG Protocol, as detailed in our SECR report on the Sustainability section of our website. Emissions are reported as CO 2 , using 100-year Global Warming Potential values. For FY25, NCC Group’s report covers SECR-relevant categories only. Data sources used include meter readings, supplier invoices, and transport mileage records.

Source	Total GHG tCO 2 e	tCO 2 e change from previous year	% change from previous year
2024	2025
Scope 1
Gas	344.4	109.5	(234.9)
Company vehicles
Diesel A	0.8	—	N/A
Petrol A	11.3	—	N/A
Diesel/petrol	12.1	349.3	B 337.
Hybrid	—	—	—
Fleet fuel – petrol	—	—	—
Total Scope 1	356.5	458.8	102.3
Scope 2
Electricity A	1,280.5	—	N/A
Company vehicles – electric A	8.9	—	N/A
Purchased electricity	1,289.40	727.30	(5 62.1)
Heat and steam	40.9	45.9	5
Total Scope 2	1,330.3	773.2	(5 57.1)
Total Scope 1 and 2	1,686.8	1,232.0	(454.8)
Scope 3
Business travel A	1,257.5	—	N/A
Transmission and distribution losses A	82.3	—	N/A
Heat and steam transmission and distribution losses A	2.8	—	N/A
Fleet transmission and distribution losses A	0.8	—	N/A
Transport	1,343.40	88.7	(1,254.7)
Commuting A	225.4	—	N/A
Data centre electricity A	71.7	—	N/A
Purchased goods and services A	5,713.7	—	N/A
Total Scope 3	7,354.2	88.7	(7,265.5)
Total Scope 1, 2 and 3	9,041.0	1,320.7	(7,720.3)

Underlying energy use

The table below shows the proportion of energy use that occurs in the UK and non-UK countries alongside the total carbon emissions. In FY25, 27% of the Group’s energy consumption and 21% of carbon emissions arose from the UK.

Area	kWh	% of global energy use	Total emissions tCO 2 e	% of global emissions
FY25 energy use
UK	1,340,628.6	27%	279.1	21%
Non-UK	3,587,490.3	73%	1,041.6	79%
Global purchased goods and services	—	—	—	—
Total A	4,928,118.9	100%	1,320.7	100%
FY25 carbon emissions

Intensity metric

Total per £m turnover – location based	Amount	kWh	Turnover £m	Total emissions tCO 2 e
1 October 2023–30 September 2024	6,326,920.9	329.2	9,041.0	27.5
1 October 2024–30 September 2025 A	4,928,118.9	305.4	1,320.7	4.3
Comparison	(2 2.1%)	(7. 2%)	(85.4%)	(84.3)

A In accordance with SECR requirements and on the professional advice of NCC Group’s newly appointed sustainability consultancy, Positive Planet, the FY25 data disclosure includes only the mandatory information prescribed by legislation. This disclosure provides a concise summary of NCC Group’s energy consumption, carbon emissions and related performance metrics.# NCC Group plc — Annual report and accounts for the year ended 30 September 2025

Sustainability continued

A more comprehensive view, including supplementary information and analysis, will be provided in the 2025 Carbon Reduction Plan and Sustainability Report. This approach ensures transparency and accessibility while maintaining compliance with regulatory obligations. B Reflecting NCC Group’s ongoing commitment to strengthen transparency and completeness in emissions reporting, fleet emissions data for the Netherlands has been sourced and included in the FY25 SECR disclosure for the first time.

NCC Group’s approach to risk management

NCC Group adopts both a “top-down” and “bottom-up” approach to risk, to manage risk exposure across the Group to enable the effective pursuit of strategic objectives. The approach is summarised in the diagram on page 30. The approach is one of collaboration, which supports our comprehensive approach to risk identification, from the “top down” and “bottom up”. The Group believes that this is the most efficient and effective way to identify its business risks.

Top down

The Board, Audit Committee and Cyber Security Committee review risks on an ongoing basis and are supported by the Executive Committee and subject matter specialists (including Escode, Cyber Security, information security, data protection and health and safety). The Board considers the Group’s strategic objectives and any barriers to their achievement.

Bottom up

The Board and senior leadership team engage with colleagues at every level of the Group in recognition of the importance of their expertise, contribution and views.

Risk management model

The Board has overall responsibility for ensuring that NCC Group adopts an effective risk management model, which is aligned to our objectives and promotes good risk management practice. We have therefore adopted the model described in this section and summarised in the diagram on page 30.

Risk management

Risk is an inherent part of doing business, and risk management is a fundamental aspect of good corporate governance. A successful risk management process balances risk and reward and is underpinned by sound judgement regarding the impact and likelihood of risks. The Board holds overall responsibility for ensuring that NCC Group has an effective risk management framework that aligns with its business objectives.

Risk management model

Identify risks	Assess adequacy and effectiveness of existing controls	Address	Monitor delivery of action plans/ risk universe
Identify inherent risks and likelihood of impact	Evaluate mitigated risks and likelihood of impact	Develop action plans (treat, transfer, tolerate, terminate)	Assign Director-level sponsorship

I d e n t i f y M o n i t o r A s s e s s A d d r e s s

Corporate governance

The Board has established an Enterprise Risk Management policy, which has established protocols, including:
* Roles and responsibilities for the risk management framework
* A risk scoring framework
* A definition of risk appetite

The integrated approach to risk management diagram on page 30 summarises the Group’s overall approach to risk management.

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 29

Strategic report

Managing risk from the top down

Role	Responsibilities
Board	• Establishing guidance on the Group’s approach to risk management and establishing the parameters for risk appetite and associated decision making • Identification, review and management of identified Group strategic risks and associated actions • Ongoing consideration of: • IT and cyber-centric risk • Environmental risk
Audit Committee	• Periodically assessing the effectiveness of the embedded Group risk management process • Challenging the content of the strategic risk register to support a comprehensive and balanced assessment of risk • Reporting on the principal risks and uncertainties of the Group
Cyber Security Committee	• Implementing and embedding the Group’s Enterprise Risk Management policy and approach • Directing the delivery of the Group’s identified actions associated with managing/ mitigating risk

Managing risk from the bottom up

Role	Responsibilities
Executive Committee	• Identification of key risk indicators, monitoring and taking timely action where appropriate • Responsible for reviewing the operational risks across the business units and Group • Challenging the appropriateness and adequacy of proposed action plans to mitigate risk • Giving due consideration to the aggregation of risk across the Group • Provisioning suitable cross-functional/ business unit resource to effectively manage risk where appropriate
Leadership team	• Instrumental in developing the risk management framework adopted by the Board • Conduit between the Board and the business units – providing training and support where appropriate • Developing and executing a risk-based Internal Audit Plan to assess the management of risks
Global Governance function	• Ongoing monitoring and reporting to the Board in relation to the progress being made by the business units in implementing agreed action plans to mitigate strategic risk • Close cross-functional relationships with the Global Technical Services (GTS) security operations team to facilitate the identification, management, monitoring and reporting of data security risks • Execution of the delivery of the Group’s identified actions associated with managing risk • Timely reporting on the implementation and progress of agreed action plans • Provision of key risk indicator updates
Business units	• Identification and reporting of strategic risk to the Board • Provision of reports and data relating to significant emerging risks to the Group (internal and external) • Implementation of risk management approach which promotes the ongoing identification, evaluation, prioritisation, mitigation and monitoring of operational risk

Effective pursuit of strategic objectives

Risk management continued

Risk management model continued

The Board, Audit Committee, Cyber Security Committee and Executive Committee review risks on an ongoing basis throughout the period. The appropriateness and relevance of the risks are monitored by the Global Governance function to ensure they continue to be updated, meet the needs of the Group and remain in line with good risk management practice. In addition, there is a robust process in place for monitoring and reporting the implementation of agreed actions. We are satisfied that the Enterprise Risk Management policy, framework and model currently in place are sufficient to manage risk across the Group. The key areas of identifying, assessing, addressing and monitoring risks are explained in more detail overleaf.

Identify

Risks exist within all areas of our business, and it is important for us to identify and understand the degree to which their impact and likelihood of occurrence will affect the delivery of our key objectives. This is achieved through day-to-day working practices and incorporates risks in both the internal and external environment. All identified risks are initially assessed for their “inherent” risk (risk with no controls in place), using a scoring mechanism that accounts for the likelihood of an event occurring and the impact that it may have on the Group. The scoring mechanism adopted takes account of high impact, low likelihood events and these risks are managed in a timely manner. In addition to ongoing risk identification, an annual exercise is undertaken to review the Group’s strategic risk universe by the Board. This exercise is reliant on the “top-down”, “bottom-up” approach discussed earlier.

Assess

Post-identification of the Group’s inherent risk exposure, a comprehensive assessment of the effectiveness of current mitigating controls is undertaken. This exercise takes account of the design of the current control environment and the application of these controls prior to assessing the Group’s current exposure to risk – the mitigated risk score. The Board uses a number of sources of information to support the scoring of risk and these include, but are not limited to:
* Management updates
* Action tracking and reporting
* Control environment policies and procedures
* Independent audit activity
* Project monitoring reports

Address

Having identified and assessed the risks faced by the Group, the risks are scored according to likelihood of occurring and impact to the business should they occur. An assessment of whether additional actions are required to reduce our risk exposure is undertaken, with actions falling into one of four categories:
* Treat – develop an action plan (applying responsibility, deadlines and prioritisation) that may include the implementation of additional controls, or increase the requirement for additional assurance over the adequacy and effectiveness of the existing controls
* Transfer – use a third party specialist to undertake the activity, thus mitigating the risk
* Tolerate – determine the risk is within appetite
* Terminate – exit the activity

The output from the evaluation of strategic risks has resulted in milestone plans owned by senior business leaders or has been used in the development of the Group’s transformation programme.

Monitor

Ongoing monitoring of risks and related actions is key to the implementation of our risk management model and, therefore, NCC Group is committed to making enterprise-wide risk management part of business as usual.

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 30

[Diagram indicating the integrated approach to risk management as described in the text]

Corporate governance

The integrated approach to risk management diagram on page 30 summarises the Group’s overall approach to risk management.

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 29

Strategic report

Managing risk from the top down

Role	Responsibilities
Board	• Establishing guidance on the Group’s approach to risk management and establishing the parameters for risk appetite and associated decision making • Identification, review and management of identified Group strategic risks and associated actions • Ongoing consideration of: • IT and cyber-centric risk • Environmental risk
Audit Committee	• Periodically assessing the effectiveness of the embedded Group risk management process • Challenging the content of the strategic risk register to support a comprehensive and balanced assessment of risk • Reporting on the principal risks and uncertainties of the Group
Cyber Security Committee	• Implementing and embedding the Group’s Enterprise Risk Management policy and approach • Directing the delivery of the Group’s identified actions associated with managing/ mitigating risk

Managing risk from the bottom up

Role	Responsibilities
Executive Committee	• Identification of key risk indicators, monitoring and taking timely action where appropriate • Responsible for reviewing the operational risks across the business units and Group • Challenging the appropriateness and adequacy of proposed action plans to mitigate risk • Giving due consideration to the aggregation of risk across the Group • Provisioning suitable cross-functional/ business unit resource to effectively manage risk where appropriate
Leadership team	• Instrumental in developing the risk management framework adopted by the Board • Conduit between the Board and the business units – providing training and support where appropriate • Developing and executing a risk-based Internal Audit Plan to assess the management of risks
Global Governance function	• Ongoing monitoring and reporting to the Board in relation to the progress being made by the business units in implementing agreed action plans to mitigate strategic risk • Close cross-functional relationships with the Global Technical Services (GTS) security operations team to facilitate the identification, management, monitoring and reporting of data security risks • Execution of the delivery of the Group’s identified actions associated with managing risk • Timely reporting on the implementation and progress of agreed action plans • Provision of key risk indicator updates
Business units	• Identification and reporting of strategic risk to the Board • Provision of reports and data relating to significant emerging risks to the Group (internal and external) • Implementation of risk management approach which promotes the ongoing identification, evaluation, prioritisation, mitigation and monitoring of operational risk

Effective pursuit of strategic objectives

Risk management continued

Risk management model continued

Identify

Assess

Address

The output from the evaluation of strategic risks has resulted in milestone plans owned by senior business leaders or has been used in the development of the Group’s transformation programme.

Monitor

Examples of ongoing monitoring of business risks include, but are not limited to:
* Annual review of the external audit strategy and plan by the Audit Committee and Chief Financial Officer to ensure inclusion of key financial risks
* Review of the annual Internal Audit Plan to validate that it incorporates key areas of business risk
* A review of internal audit reports issued during the period, including a summary of progress against previously raised management actions at each Audit Committee meeting
* Annual review of the strategic risk register by the Enterprise Risk Management Steering Group and Board to ensure that it includes risks arising in the period

Internal control

While risk management identifies threats to the Group achieving its strategic objectives, internal controls are designed to provide assurance that these objectives are being achieved, such as the effectiveness and efficiency of operations and delivery, accurate and reliable financial reporting, and compliance with applicable laws and regulation. NCC Group has established a robust internal control framework, which is made up of a number of components:

Control environment

The control environment has primarily been established taking account of the Group’s values (working together, being brilliantly creative, embracing difference and taking responsibility), and its Code of Ethics, which sets the foundations for the expected behaviours, values and competencies for all colleagues across the Group. The Board, Executive Committee and extended leadership team lead by example and strive to maintain effective control environments, while also maintaining integrity and transparency.

Risk assessments

Risk assessments are conducted at both a strategic and operational level of the Group and support the Group in understanding the risks that it faces and the controls in place to mitigate them. Importantly, they provide a mechanism to identify operational improvements and are vital in our transformational programmes.

Policies and procedures

Established policies communicate expected behaviours and are supported by procedures and guidelines that define required processes and controls. This, in turn, helps the business to adopt efficient and effective control environments.

Information and communications

Access to accurate and timely data is essential for supporting our colleagues in making informed decisions and effectively managing and controlling their areas of responsibility.

Activity monitoring

The minimum financial controls framework was established in FY20. Further enhancement of the framework is being designed and implemented to align with the UK Corporate Governance Reform and upcoming Directors’ attestation of internal controls. In preparation for new legislative requirements relating to failure to prevent fraud, key anti-fraud controls have been identified and these are supported by red flag reporting and ongoing trend analysis to enhance the existing control environment to ensure compliance with the Economic Crime and Transparency Act (2023). Financial accounting and reporting follow generally accepted accounting practices. Group review and approval procedures exist in relation to major areas of risk and require Executive Committee/Board approval, including mergers and acquisitions, major contracts, capital expenditure, litigation, treasury management and taxation policies. The approval procedures are captured within a global delegation of authority (DoA) matrix which is disseminated across the Group. Compliance with all legislation, current and new, is closely monitored.

Risk and control reporting structure

NCC Group has embedded the “three lines of defence” to provide a robust internal controls structure that will support the Board, Audit Committee, Cyber Security Committee, Executive Committee and extended leadership team with accurate and reliable information in relation to the systems of internal control.

Three lines of defence:
* First line – Group policies and procedures
* Second line – information security, data protection, health and safety, and legal
* Third line – risk and assurance, incorporating internal audit, standards and support, assessing compliance with standards and external audit, both financial and operational, providing independent challenge and assessment

NCC Group plc — Annual report and accounts for the year ended 30 September 2025
31

Risk management continued

A. Strategy

1. Inability to execute the Group’s strategy including the diversification of market sector, region, product/service or client

VR	Link to strategy: Our clients Our capabilities Global delivery Differentiated brands
Previous risk names	Inability to execute the Group strategy and over-reliance on market sector, product/service or client
Risk owner	Mike Maddison, CEO
Risk impact	Ineffective execution of a strategy could have a material negative impact on the Group’s financial performance and value. It would potentially weaken the Group compared to its competitors and risk the Group’s established position in the marketplace.
Risk impact and movement
Key controls and mitigating factors	Strategic transformation plans are in place. Disposal of Crypto and DetACT. The Manila office is fully operational.

2. Inability of the Group to absorb the people, process and technological transformation change

Link to strategy: Our clients Our capabilities Global delivery Differentiated brands
Previous risk name
Risk owner
Risk impact
Risk impact and movement
Key controls and mitigating factors

Risk movement: Increased Decreased Unchanged
Viability risk: VR New risk: NR Risk impact: High Medium Low

Extraordinary risk during the period

Principal risks and uncertainties During the period, the Board has completed a robust assessment of the Company’s emerging and principal risks. This has included the Board reassessing and rescoring the principal risks, with changes to the risks noted below. The overall number of principal risks has reduced from 24 in FY24 to 14 in FY25 primarily due to risks being combined where the operating risks overlapped or where they were considered sub-risks. The Group continues to operate in a particularly dynamic and evolving marketplace. The current risk register has been developed to reflect these factors and includes risks that could threaten the Group’s business model, future performance, solvency or liquidity. Detailed descriptions of the current principal risks and uncertainties faced by the Group, along with their potential impact and the mitigating processes and controls, are set out below. The strategic risks are based on the four pillars of our strategy: our clients, our capabilities, global delivery and differentiated brands.

NCC Group plc — Annual report and accounts for the year ended 30 September 2025
32

A. Strategy continued

3. Commercial models (contractual and pricing) do not reflect the flexibility required by clients or drive the optimal commercial outcome for NCC Group

VR	Link to strategy: Our clients Our capabilities Global delivery
Previous risk name	N/A
Risk owner	Peter Vorley, CCO
Risk impact	Inability to transact, operate and deliver profitable services resulting in loss of revenue and negative impact on share price.
Risk impact and movement	NR
Key controls and mitigating factors	Finance review of margins. Legal review of contracts. Approval is required for low margin jobs. Regular review of services is offered. Client engagement and feedback to enhance the portfolio of product and services.

B. Cyber and information security

4. Cyber attack

VR	Link to strategy: Our capabilities Global delivery Differentiated brands
Previous risk name	N/A
Risk owner	Guy Ellis, CFO
Risk impact	Data breach leading to fines from regulators and reputational damage. Lack of availability in systems. Inability to operate services resulting in loss of customer trust, resulting in loss of revenue and negative impact on share price. Impact on national security due to our work with government clients.
Risk impact and movement	Increased due to increase in high profile cyber attacks and change to geopolitical landscape.
Key controls and mitigating factors	The Board operates a Cyber Security Committee chaired by a NED. All colleagues globally are required to undertake annual and ongoing security training to alert them to potential methods of security breach and to their responsibilities in safeguarding information and reporting potential issues. Security testing is regularly carried out on the Group’s infrastructure and there are extensive response plans, which are tested. Comprehensive plans are in place and being delivered associated with discharging our data protection obligations. Deployed an Information Security Management System (ISO 27001). All key locations are certified.

Risk movement: Increased Decreased Unchanged
Viability risk: VR New risk: NR Risk impact: High Medium Low

Strategic report

NCC Group plc — Annual report and accounts for the year ended 30 September 2025
33

Risk management continued

B. Cyber and information security continued

5. Significant business systems failure

Link to strategy: Our capabilities Global delivery Differentiated brands
Previous risk name
Risk owner
Risk impact

C. Innovation and product development

8. Technology changes render services obsolete/technology disruption impacts pace of change

Link to strategy: Our clients, Our capabilities, Global delivery, Differentiated brands
Previous risk name: Merged with lack of innovation, ineffectual product/service management and failure to capture on partnership ecosystem
Moved from strategy theme to innovation theme
Risk owner: Mike Maddison, CEO
Risk impact: Failure to stay updated with technological changes can erode competitive advantage, leading to a decline in market share and revenue. Failure to deliver the Group strategy. Increased cost base eroding margins.
Risk impact and movement:
Key controls and mitigating factors:
- Market intelligence and competitive intelligence reporting.
- Strategic partnerships and technology partners to ensure alignment with emerging trends and technology changes.
- Research and development budgets and culture which proactively embraces new trends and technologies.
- Cross-functional collaboration via working groups to promote innovation.
- Client engagement and feedback to enhance the portfolio of products and services.

D. People

9. Insufficient strategic workforce planning, including technological development and training of colleagues

VR
Link to strategy: Our capabilities
Previous risk name: Inability to retain/recruit colleagues to meet the resource needs of the business and unable to meet the resource needs of the business and client
Risk owner: Michelle Van de Velde, CPO
Risk impact: Inability to deliver to clients resulting in loss of revenue and reputational damage. Loss of colleague morale and risk of “burnout”. Loss of key colleagues or significant colleague turnover could result in a lack of necessary expertise or continuity to execute the Group’s strategy. Inability to attract and retain sufficient high calibre colleagues could become a barrier to the continued success and growth of NCC Group.
Risk impact and movement: Increased due to a lot of ongoing transformational change.
Key controls and mitigating factors:
- Workforce resourcing is managed by the Chief People Officer.
- A full review of workforce requirements is undertaken as part of the strategic review.
- Job level framework is implemented.
- Colleagues are offered an industry aligned salary and benefits package including share schemes, salary sacrifice car scheme and retail discount offerings.
- The Manila office is fully operational and has reduced the cost base to further meet the needs of our clients.

E. Market and competition

10. Global socio-political risk

Link to strategy: Our clients, Our capabilities, Global delivery, Differentiated brands
Previous risk names: Geopolitical risk and undertaking work with disreputable clients in sanctioned or undesirable jurisdictions
Risk owner: Kevin Brown, COO
Risk impact: Failure to comply with changing global regulations may cause disruption to our business. Reputational damage and legal implications if we work with disreputable clients.
Risk impact and movement: Increased due to it being difficult to control and a lot of change and uncertainty.
Key controls and mitigating factors:
- The strategy is focused on globalisation and thus the resource structure is being designed to promote global delivery.
- A country risk index is in place with risk assessments performed for business in higher risk countries.
Risk movement: Increased, Decreased, Unchanged
Viability risk: VR
New risk: NR
Risk impact: High, Medium, Low

Strategic report

NCC Group plc — Annual report and accounts for the year ended 30 September 2025

Risk management continued

F. Brand and reputation

11. Adverse publicity in news and social media

Link to strategy: Differentiated brands
Previous risk name: N/A
Risk owner: Angela Brown, CMO
Risk impact: Reputational damage leading to loss of existing and potential clients resulting in loss of revenue.
Risk impact and movement:
Key controls and mitigating factors:
- Policies and procedures are in place which follow good practice and ethics.
- Annual compliance training.
- Research quality review process.

G. Quality and delivery

12. Inability to effectively compete in the market

VR
Link to strategy: Our clients, Our capabilities
Previous risk names: Service delivery does not achieve established quality standards, loss of internationally recognised quality and security standards and lack of market strength versus competition
Risk owner: Kevin Brown, COO
Risk impact: Clients don’t renew, have their SLA breached or cancel mid-service leading to loss of revenue. Negligence in delivery leading to legal action or loss of revenue and reputational damage. Failure to retain internationally recognised quality and security standards resulting in a loss of clients and revenue and the ability to operate.
Risk impact and movement:
Key controls and mitigating factors:
- Global standards and support team performs internal audits and manages the ISO accreditations.
- External assessors conduct audits at least annually confirming the retention of our quality and security standards.
- ISO standards extended to more locations in FY25.
- Policies and procedures are in place and audited against the design and application.
- Quality assurance processes are in place.
- Standard methodologies and procedures are followed.
- Customer feedback and complaints process.
- Ongoing internal training programmes.
Risk movement: Increased, Decreased, Unchanged
Viability risk: VR
New risk: NR
Risk impact: High, Medium, Low

Principal risks and uncertainties continued

NCC Group plc — Annual report and accounts for the year ended 30 September 2025

H. Legal, regulatory compliance and governance

13. Criminal and civil corporate legal action resulting in fines and incarceration

VR
Link to strategy: Our clients, Global delivery, Differentiated brands
Previous risk name: N/A
Risk owner: Guy Ellis, CFO
Risk impact: Reputational damage from legal action being taken and financial impact of the fines and the impact it may have on key customer accounts.
Risk impact and movement:
Key controls and mitigating factors:
- The legal team reviews customer contracts.
- Annual compliance training is undertaken including ethics, economic crime, health and safety, information security and data protection.

14. Inability to identify and adopt emerging regulations in a timely manner

Link to strategy: Our clients, Global delivery, Differentiated brands
Previous risk name: N/A
Risk owner: Guy Ellis, CFO
Risk impact: Non-compliance with regulations resulting in fines from regulators and reputational damage leading to loss of key customer accounts and shareholder investment.
Risk impact and movement:
Key controls and mitigating factors:
- TCFD reporting in third period and working on CSRD for our Fox-IT business.
- Horizon scanning for new regulations.
Risk movement: Increased, Decreased, Unchanged
Viability risk: VR
New risk: NR
Risk impact: High, Medium, Low

We have removed the lack of visibility in the workplace risk, within the brand and reputation risk theme, as the Board deemed this was no longer a strategic risk. In addition to identifying the Group principal risks, we continuously review and monitor emerging risks through horizon scanning; publications; assessing regulatory changes and how they may impact the Group; and ensuring adequate oversight over significant projects. Examples of identification include horizon scanning for emerging risks such as increasing energy costs, takeover risks, legislative and market changes and geopolitical risks.# Strategic report

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 37

Viability statement

In line with Provision 31 of the 2018 UK Corporate Governance Code, this Viability Statement outlines the Directors’ assessment of the Group’s ability to continue in operation and meet its liabilities as they fall due over the designated assessment period (factoring in the Group’s continuing operations), drawing attention to any qualifications or assumptions, as necessary. This evaluation considers our current financial position, outlook and principal risks and uncertainties, as well as the critical judgements and estimates underpinning the Financial Statements.

The Directors’ assessment is grounded in the Group’s business model and strategic plan, which are reviewed and approved annually by the Board with a focus on a sustainable growth strategy derived from two distinct businesses, increasing shareholder value, and enhancing our service offering. For further details, please see the Strategic Report on pages 8 and 9. The Group’s strategic priorities, detailed on pages 12 and 13 of the Strategic Report, provide a foundation for this outlook. Additionally, the effective management of principal risks and uncertainties, as outlined on pages 29 to 37, underscores those factors that could theoretically pose a threat to the Group’s operational or financial resilience, particularly those carrying the viability risk (VR) designation.

The assessment period

The Directors have assessed the viability of the Group over a three year period ending in September 2028. This timeframe aligns with the Group’s strategic planning horizon and reflects a practical planning period, considering the pace of industry change and evolving customer demands.

Assessment of viability

The viability of the Group has been assessed based on its current financial position, available banking facilities, and the Board-approved FY26 budget and three year strategic plan (factoring in the Group’s continuing operations). The Group’s base case budget for FY26 incorporates recent growth trends across geographical regions and operating segments, as well as relevant growth opportunities driven by existing offerings. Management has also performed base case modelling inclusive of the potential disposal of its Escode business (incorporating any associated impact on the Group’s banking facilities and expected net cash position). This assessment also accounts for current macro-economic conditions where applicable. Additionally, the Group remains in the early stages of reviewing a number of strategic options for its Cyber business, however no decision has been made on which option will be pursued as of 11 December 2025.

No material issues impacting the Group’s viability assessment as of 11 December 2025.

In April 2025, the Group refinanced its borrowing arrangements by entering into a new four year £120m multi-currency revolving credit facility, replacing the previous facility due to expire in December 2026. The new facility, which expires in April 2029, provides additional liquidity headroom and has been factored into the Group’s viability assessment.

Additionally, the Directors have modelled the impact of severe, yet plausible, scenarios associated with the Group’s principal viability risks, which could have the most significant potential impact on viability over the three year period, as outlined in the table below. These sensitivities have been assessed against the Group’s projected cash flow position, available banking facilities, and compliance with financial covenants throughout the viability period. Under these scenarios, the Group has assessed and concluded that sufficient headroom exists to support its operations and meet its liabilities as they fall due. Further details on the Group’s financing arrangements can be found in Note 1 of the Financial Statements.

The applied sensitivities demonstrate sufficient levels of headroom, indicating that no mitigating actions are necessary under the severe but plausible scenarios modelled by management. Nevertheless, should additional headroom be needed, available measures within the Directors’ control include reducing planned capital expenditure, adjusting headcount, freezing pay and recruitment, and suspending dividend payments to shareholders.

As outlined on page 32, the Board has undertaken a robust assessment of the Company’s principal risks, resulting in an overall reduction in the number of identified risks. This reassessment included a review of the Group’s principal risks that are also considered viability risks, and any changes identified during the year are clearly highlighted on pages 32 to 37.

Conclusions

Based on the severe but plausible scenarios modelled (inclusive of the planned disposal of Escode), the Directors have a reasonable expectation that the Company will be able to continue in operation and meet its liabilities as they fall due over the three year period of assessment. The Directors have considered this assumption as part of their viability assessment and believe it to be reasonable based on the Group’s financial position.

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 38

Viability risk

| Risk as applied to viability assessment | Specifics of scenario modelled | Potential impact
| :---2558928633
3. Use proper # H1, ## H2, ### H3 tags for headers based on the document structure.
4. Fix broken line breaks inside paragraphs.
5. Return ONLY the markdown.

++++++

Input:

Strategic report NCC Group plc — Annual report and accounts for the year ended 30 September 2025 37 Viability statement In line with Provision 31 of the 2018 UK Corporate Governance Code, this Viability Statement outlines the Directors’ assessment of the Group’s ability to continue in operation and meet its liabilities as they fall due over the designated assessment period (factoring in the Group’s continuing operations), drawing attention to any qualifications or assumptions, as necessary. This evaluation considers our current financial position, outlook and principal risks and uncertainties, as well as the critical judgements and estimates underpinning the Financial Statements. The Directors’ assessment is grounded in the Group’s business model and strategic plan, which are reviewed and approved annually by the Board with a focus on a sustainable growth strategy derived from two distinct businesses, increasing shareholder value, andenhancing our service offering. For further details, please see theStrategic Report on pages 8 and 9. The Group’s strategic priorities, detailed on pages 12 and 13 of the Strategic Report, provide a foundation for this outlook. Additionally, theeffective management of principal risks and uncertainties, as outlined on pages 29 to 37, underscores those factors that could theoretically pose a threat to the Group’s operational or financial resilience, particularly those carrying the viability risk (VR) designation. The assessment period The Directors have assessed the viability of the Group over a three year period ending in September 2028. This timeframe aligns with the Group’s strategic planning horizon and reflects a practical planning period, considering the pace of industry change and evolving customer demands. Assessment of viability The viability of the Group has been assessed based on its current financial position, available banking facilities, and the Board-approved FY26 budget and three year strategic plan (factoring in the Group’s continuing operations). The Group’s base case budget for FY26 incorporates recent growth trends across geographical regions and operating segments, as well as relevant growth opportunities driven byexisting offerings. Management has also performed base case modelling inclusive of the potential disposal of its Escode business (incorporating any associated impact on the Group’s banking facilities and expected netcash position). This assessment also accounts for current macro-economic conditions where applicable. Additionally, the Group remains in the early stages of reviewing anumber of strategic options for its Cyber business, however no decision has been made on which option will be pursued as of 11 December 2025. No material issues impacting the Group’s viability assessment as of 11December 2025. In April 2025, the Group refinanced its borrowing arrangements by entering into a new four year £120m multi-currency revolving credit facility, replacing the previous facility due to expire in December 2026. The new facility, which expires in April 2029, provides additional liquidity headroom and has been factored into the Group’s viabilityassessment. Additionally, the Directors have modelled the impact of severe, yet plausible, scenarios associated with the Group’s principal viability risks, which could have the most significant potential impact on viability over the three year period, as outlined in the table below. These sensitivities have been assessed against the Group’s projected cash flow position, available banking facilities, and compliance with financial covenants throughout the viability period. Under these scenarios, the Group hasassessed and concluded that sufficient headroom exists to support its operations and meet its liabilities as they fall due. Further details onthe Group’s financing arrangements can be found in Note 1 oftheFinancial Statements. The applied sensitivities demonstrate sufficient levels of headroom, indicating that no mitigating actions are necessary under the severe butplausible scenarios modelled by management. Nevertheless, should additional headroom be needed, available measures within theDirectors’ control include reducing planned capital expenditure, adjusting headcount, freezing pay and recruitment, and suspending dividend payments to shareholders. As outlined on page 32, the Board has undertaken a robust assessment of the Company’s principal risks, resulting in an overall reduction in the number of identified risks. This reassessment included a review of the Group’s principal risks that are also considered viability risks, and any changes identified during the year are clearly highlighted on pages 32 to37. Conclusions Based on the severe but plausible scenarios modelled (inclusive of the planned disposal of Escode), the Directors have a reasonable expectation that the Company will be able to continue in operation and meet its liabilities as they fall due over the three year period of assessment. TheDirectors have considered this assumption as part of their viability assessment and believe it to be reasonable based on the Group’s financial position. NCC Group plc — Annual report and accounts for the year ended 30 September 202538 Viability risk Risk as applied to viabilityassessment Specifics of scenario modelled Potential impact Inability to execute theGroup’s strategy including the diversification of market sector, region, product/service orclient The ineffective execution of a strategy could have a materialnegative impact on the Group’s financial performance and value. It would potentially weaken the Group compared to its competitors and risk the Group’s established position inthemarketplace. In order to consider the impactof the risks identified, management has modelled thefollowing scenario: A reduction in future trading performance within Cyber Security, specifically in the Group’s Technical Assurance Services (TAS). This scenario models anannualised reduction of £10.6m in revenue and £3.8m in profitability over the three year viability period. The impact of this sensitivity has been assessed against the Group’s projected cashflow, available banking facilities, andcompliance with financial covenants overthe three year viability period. The scenario applied indicates sufficient headroom throughout this period, confirming that no mitigating actions are necessary. Insufficient strategic workforce planning, including technological development and training of colleagues Inability to deliver to clients could result in revenue loss and reputational damage, hindering the Group’s ability to execute its strategy. Loss of key colleagues or significant colleague turnover could result in a lack of necessary expertise or continuity to execute the Group’s strategy. Inability to attract and retain sufficient high calibre colleagues could become a barrier to the continued success and growth of NCC Group. Insufficient quality, integrity and availability of management information Suboptimal business decision making, and performance askey financial performance data is not available or trusted. These suboptimal decisions could prevent the Group from achieving its strategic goals. Commercial models (contractual and pricing) do not reflect the flexibility required by clients or drive the optimal commercial outcome for NCCGroup Inability to transact, operate and deliver profitable servicesresulting in loss of revenue and negative impact onshareprice. In order to consider the impactof the risks identified, management has modelled thefollowing scenario: A loss in key customers resulting in an annualised reduction of £8.9m in revenue and £2.6m in profitability over the three year viability period. The impact of this sensitivity has been assessed against the Group’s projected cashflow, available banking facilities, andcompliance with financial covenants overthe three year viability period. The scenario applied indicates sufficient headroom throughout this period, confirming that no mitigating actions are necessary. Cyber attack Data breach leading to fines from regulators and reputationaldamage. Lack of availability in systems. Inability to operate services resulting in loss of customer trust, resulting in loss of revenue and negative impact onshare price. Impact on national security due to our work with governmentclients. Each of the above could result in a loss of customers andrevenue. Significant business systems failure Inability to transact, operate and deliver services resulting inloss of customer trust, resulting in loss of revenue and negative impact on share price. Inability to effectively compete in the market Client non-renewal, SLA breaches, or mid-service cancellations could result in revenue loss. Delivery negligence could lead to legal action, reputational damage, and loss of customers and revenue. Failure to maintain internationally recognised quality and security standards could result in client loss, revenue decline, and operational restrictions. Criminal and civil corporate legal action resulting in fines andincarceration Reputational damage from legal action being taken and financial impact of the fines and the impact it may have on key customer accounts. Strategic report NCC Group plc — Annual report and accounts for the year ended 30 September 2025 39 Financial review • Globalised technical resource footprint – from a global delivery perspective the Group continues to invest in its Manila office and delivery resourcing is planned and tracked on a single system. Efficiency for growth • Simplify operating model to generate efficiencies – finance and IT processes globalised and centralised around hubs in Manchester and Manila. We continue to monitor our transformation journey as we ensure the operating model is market aligned, and delivery is focused to support the underlying Cyber Security business strategy.# Overview of financial performance

Throughout this Financial Review, references are made to a number of reporting periods. Any references to the year ended 30 September 2025 or the 16 month period ended 30 September 2024 relate to audited figures (unless stated otherwise). References to the year ended 30 September 2024, the six months (“H1”) to 31 March 2025 (and comparative six months to 31 March 2024), and the six months (“H2”) to 30 September 2025 (and comparative six months to 30 September 2024) relate to unaudited figures.

Highlights – financial framework

As we assess our performance against the FY25 financial framework published in December 2024, it is encouraging to see that we have continued to deliver throughout the year against most of the framework. The key points to note are as follows:

Sustainable revenue growth

Delivering underlying growth in Cyber Security (excluding non-core disposals) – 2025 Cyber Security revenue declined compared to the year ended 30 September 2024 on both constant currency¹ (-4.0%) and at actual rates (-4.9%). However, H2 2025 demonstrated positive momentum versus H1 2025, delivering growth of +3.0%.
Increase Managed Services revenue as a proportion of total Cyber Security (excluding Crypto and DetACT) – 2025 MS revenue proportion increased by +2.2%pts at constant currency (actual rates: +2.5%pts), compared to the year ended 30 September 2024.
Maintaining momentum in Escode – achieved 12 consecutive quarters of revenue growth (on a constant currency basis) and increased year on year by +2.2% on a constant currency basis (+0.8% actual rates).

Improved gross margin

Improved utilisation – the Group’s average utilisation rate for the year across TAS and C&I (all locations) amounts to 70.4%, with the Manila team average increasing as more activity is onboarded into its delivery model.
Smart pricing and margin investment decision making – Kantata resource reporting tool now implemented globally and regular reporting of profitability by engagement and client has been implemented with further benefits to be realised.

Guy Ellis
Chief Financial Officer

Delivering on our financial framework

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 40

This approach continues to support comparability of the Group’s new year end performance (following the year end change in FY24) and, importantly, provides visibility on the current trajectory.

Year ended 30 September 2025 compared to the 16 month period ended 30 September 2024

The following table summarises the Group’s performance for the year ended 30 September 2025, following the results for the 16 month period ended 30 September 2024, which reflected the Group’s change in financial year end to 30 September in the prior period. The results for the year (and the prior period) present the Group’s Escode business as discontinued operations. Therefore, the table below shows the Group’s continuing operations results, with Escode added back to ensure full comparability of the Group’s performance. During the year ended 30 September 2025, the Group explored a number of options for its Escode business, including a potential sale, eventually initiating an active programme to locate a potential buyer. As at 30 September 2025, the sale was considered highly probable, so the related assets and liabilities were reclassified as held for sale. Since Escode is a separate major line of business and classified as held for sale, it is presented also presented as a discontinued operation.

	Cyber Security £m	Central and head office £m	Continuing operations³ : Sub-total £m	Discontinued operations³ : Escode £m	Group £m	Cyber Security £m	Central and head office £m	Continuing operations³ : Sub-total £m	Discontinued operations³ : Escode £m	Group £m
Year ended 30 September 2025						16 month period ended 30 September 2024
Revenue	238.9	—	238.9	66.5	305.4	342.1	—	342.1	87.4	429.5
Cost of sales	(150.5)	—	(150.5)	(19.0)	(169.5)	(224.1)	—	(224.1)	(26.7)	(250.8)
Gross profit	88.4	—	88.4	47.5	135.9	118.0	—	118.0	60.7	178.7
Gross margin %	37.0%	—	37.0%	71.4%	44.5%	34.5%	—	34.5%	69.5%	41.6%
Administrative expenses³	(68.4)	(4.4)	(72.8)	(16.4)	(89.2)	(97.3)	(3.4)	(100.7)	(24.1)	(124.8)
Share-based payments	(0.2)	(2.6)	(2.8)	(0.2)	(3.0)	(0.1)	(2.0)	(2.1)	(0.2)	(2.3)
Adjusted EBITDA¹’²	19.8	(7.0)	12.8	30.9	43.7	20.6	(5.4)	15.2	36.4	51.6
Depreciation and amortisation	(7.8)	(3.1)	(10.9)	(1.0)	(11.9)	(10.9)	(5.3)	(16.2)	(0.6)	(16.8)
Amortisation of acquired intangibles	(1.0)	(2.1)	(3.1)	—	(3.1)	(1.4)	(4.0)	(5.4)	(7.1)	(12.5)
Adjusted operating profit/(loss)¹’²	11.0	(12.2)	(1.2)	24.9	23.7	8.3	(14.7)	(6.4)	28.7	22.3
Individually Significant Items	(3.9)	5.8	1.9	—	1.9	(41.4)	—	(41.4)	(0.1)	(41.5)
Operating profit/(loss)	7.1	(6.4)	0.7	24.9	25.6	(33.1)	(14.7)	(47.8)	28.6	(19.2)
Operating margin %	3.0%	N/A	0.3%	37.4%	8.4%	(9.7%)	N/A	(14.0%)	32.7%	(4.5%)
Finance costs					(5.0)				(8.3)
Profit/(loss) before taxation					20.6				(27.5)
Taxation					(3.5)				(5.0)
Profit/(loss) after taxation					17.1				(32.5)
EPS
Basic EPS					5.6p				(10.4p)
Adjusted basic EPS¹’²					4.7p				3.4p

¹ Revenue at constant currency, Adjusted EBITDA, Adjusted operating profit, Adjusted basic EPS, net cash/(debt) excluding lease liabilities and cash conversion are Alternative Performance Measures (APMs) and not IFRS measures. See unaudited Appendix 1 and this Financial Review for an explanation of APMs and adjusting items, including a reconciliation to statutory information.
² The Group reports only one adjusted item: Individually Significant Items (which includes the £11.4m profit on disposal of Fox Crypto and £9.5m of fundamental re-organisation, strategic review of Escode and strategic review of the Cyber business costs). For further details, please refer to unaudited Appendix 1 and this Financial Review, which include an explanation of APMs and adjusting items, along with a reconciliation to statutory information.
³ Management have allocated £6.8m of these costs to Escode which have been included within the administrative expenses above. To reconcile to Escode’s statutory operating profit, these costs are reallocated to central and head office administrative expenses in accordance with the requirements of IFRS 5 on discontinued operations. This is due to the fact that if an operation is disposed of, the relevant central overheads may not decrease in the short term.

On the basis we are comparing a 12 month period to a 16 month period, revenue decreased by 28.0% on a constant currency basis (actual rates: 28.9%), with total Cyber Security revenue decreasing 29.3% on a constant currency basis (actual rates: 30.2%) and Escode decreasing by 22.8% on a constant currency basis (actual rates: 23.9%). Encouragingly, when you directly compare our overall gross margins, we have improved since the 16 month period ended 30 September 2024 with gross margin percentage increasing to 44.5% (2024: 41.6%). This +2.9% pts in gross margin is driven by improved utilisation and operational efficiencies within Cyber Security, together with a continued shift in the service mix, as Managed Services accounts for a growing proportion of overall revenue at a higher margin. This has also been boosted by an improvement in Escode gross profit margin, increasing to 71.4% from 69.5% due to the continued benefits arising from previous investments within Escode. Administrative expenses (excluding share-based payments, depreciation and amortisation, and amortisation of acquired intangibles) have decreased from £124.8m in the 16 month period ended 30 September 2024 to £89.2m. This is predominantly driven by lower payroll related costs on the basis we are comparing a 12 month period to a 16 month period.

Strategic report

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 41

Overview of financial performance continued

Year ended 30 September 2025 compared to the 16 month period ended 30 September 2024 continued

A profit before taxation of £20.6m (inclusive of Escode) for the year was recognised after incurring £1.9m (credit) of Individually Significant Items (including the profit on disposal of Fox Crypto, fundamental re-organisation costs and the strategic review of both the Escode and Cyber businesses).This profit before taxation was driven in part by the £11.4m gain on disposal of Fox Crypto, following completion during the year. This gave rise to a basic EPS of 5.6p and diluted EPS of 5.5p (2024: basic and diluted (10.4p)). Adjusted basic EPS 1 amounted to 4.7p and 4.6p (2024: basic and diluted 3.4p). Net cash excluding lease liabilities 1 amounts to £13.1m (2024: net debt excluding lease liabilities 1 of £45.3m), reflecting the repayment of the Group’s borrowings following the successful completion of the Fox Crypto disposal. The Group’s Balance Sheet remains strong following the successful refinancing completed in April 2025. At that time, the Group entered into a new four year, £120m multi-currency revolving credit facility (RCF) with a syndicate of four banks and including an uncommitted £50m accordion option. This new unsecured facility replaces the previous £162.5m RCF due to expire in December 2026.

Financial review continued

Year ended 30 September 2025 compared to pro forma 12 months to 30 September 2024

The following table summarises the results for the year ended 30 September 2025 compared to the unaudited 12 month pro forma period ended 30 September 2024.

	Year ended 30 September 2025	12 month pro forma period ended 30 September 2024
	Cyber Security £m	Central and head office £m
Sub- total £m	Crypto and DetACT £m	Sub- total £m
Discontinued operations 3 : Escode £m	Group £m	Cyber Security £m
Central and head office £m	Sub- total £m	Crypto and DetACT £m
Sub- total £m	Discontinued operations: Escode £m	Group £m
Revenue	227.4	—
227.4	11.5	238.9
66.5	305.4	239.2
—	239.2	24.0
263.2	66.0	329.2
Cost of sales	(144.1)	—
(144.1)	(6.4)	(150.5)
(19.0)	(169.5)	(150.7)
—	(150.7)	(15.0)
(165.7)	(20.6)	(186.3)
Gross profit	83.3	—
83.3	5.1	88.4
47.5	135.9	88.5
—	88.5	9.0
97.5	45.4	142.9
Gross margin %	36.6%	—
36.6%	44.3%	37.0%
71.4%	44.5%	37.0%
—	37.0%	37.5%
37.0%	68.8%	43.4%
Administrative expenses	(66.4)	(4.4)
(70.8)	(2.0)	(72.8)
(16.4)	(89.2)	(69.9)
(3.2)	(73.1)	(1.4)
(74.5)	(16.9)	(91.4)
Share-based payments	(0.2)	(2.6)
(2.8)	—	(2.8)
(0.2)	(3.0)	(0.1)
(1.6)	(1.7)	(0.1)
(1.8)
Adjusted EBITDA¹’²	16.7	(7.0)
9.7	3.1	12.8
30.9	43.7	18.5
(4.8)	13.7	7.6
21.3	28.4	49.7
Depreciation and amortisation	(7.6)	(3.1)
(10.7)	(0.2)	(10.9)
(1.0)	(11.9)	(8.5)
(3.7)	(12.2)	(0.1)
(12.3)	(0.5)	(12.8)
Amortisation of acquired intangibles	(0.9)	(2.1)
(3.0)	(0.1)	(3.1)
(5.0)	(8.1)	(1.1)
(3.0)	(4.1)	—
(4.1)	(5.3)	(9.4)
Adjusted operating profit/(loss)¹’²	8.2	(12.2)
(4.0)	2.8	(1.2)
24.9	23.7	8.9
(11.5)	(2.6)	7.5
4.9	22.6	27.5
Individually Significant Items	(3.9)	5.8
1.9	—	1.9
—	1.9	(38.9)
—	(38.9)	—
(38.9)	(0.1)	(39.0)
Operating profit/(loss)	4.3	(6.4)
(2.1)	2.8	0.7
24.9	25.6	(30.0)
(11.5)	(41.5)	7.5
(34.0)	22.5	(11.5)
Operating margin %	1.9%	N/A
(0.9%)	24.3%	0.3%
37.4%	8.4%	(12.5%)
N/A	(17.3%)	31.3%
(12.9%)	34.1%	(3.5%)
Finance costs		
		
		(5.0)
		
		(6.3)
Profit/(loss) before taxation		
		
		20.6
		
		(17.8)
Taxation		
		
		(3.5)
		
		(7.3)
Profit/(loss) after taxation		
		
		17.1
		
		(25.1)
EPS		
		
Basic EPS	5.6p	(8.1p)
Adjusted basic EPS¹’²	4.7p	
5.2p

NCC Group plc — Annual report and accounts for the year ended 30 September 202542

¹ Revenue at constant currency, Adjusted EBITDA, Adjusted operating profit, Adjusted basic EPS, net cash/(debt) excluding lease liabilities and cash conversion are Alternative Performance Measures (APMs) and not IFRS measures. See unaudited Appendix 1 and this Financial Review for an explanation of APMs and adjusting items, including a reconciliation to statutory information.
² The Group reports only one adjusted item: Individually Significant Items (which includes the £11.4m profit on disposal of Fox Crypto and £9.5m of fundamental re-organisation, strategic review of Escode and strategic review of Cyber costs). For further details, please refer to unaudited Appendix 1 and this Financial Review, which include an explanation of APMs and adjusting items, along with a reconciliation to statutory information.
³ Management have allocated £6.8m of these costs to Escode which have been included within the administrative expenses above. To reconcile to Escode’s statutory operating profit, these costs are reallocated to central and head office administrative expenses in accordance with the requirements of IFRS 5 on discontinued operations. This is due to the fact that if an operation is disposed of, the relevant central overheads may not decrease in the short term.

Total revenue has decreased by 6.2% on a constant currency basis (actual rates: (7.2%)), with Cyber Security revenue (excluding non-core disposals) decreasing by 4.0% on a constant currency basis (actual rates: (4.9%)) and Escode growing by 2.2% on a constant currency basis (actual rates: 0.8%). The Escode revenue increase has predominantly been driven by favourable price increases and volume during the year within verification services.

Turning to Cyber Security revenue trajectory during the year, the UK and APAC declined by 0.6% at constant currency (actual rates: (0.8%)), and North America declined by 12.9% (actual rates: (15.4%)). These reductions have been driven primarily by declines in their respective TAS markets, as demand has recovered more slowly than expected year on year. Encouragingly, the UK and APAC improved by 5.5% at actual rates when comparing H2 2025 with H1 2025, driven primarily by improvements within the UK’s C&I business.

Year on year we have experienced continued growth in our Managed Services performance by 2.8% at constant currency (actual rates: 2.6%) which has mainly been driven by our European MS business, with this growth continuing when comparing H2 2025 with H1 2025. Additionally, we have seen year-on-year growth in our C&I business of 16.6% at constant currency (actual rates: 14.9%) which has been driven by increased demand within our UK markets. Similarly to our MS business from a trajectory perspective we have seen continued growth within our UK C&I business when comparing H2 2025 to H1 2025.

Year-on-year gross profit has decreased by 4.9% to £135.9m; however, gross profit margin has favourably increased to 44.5% (reflecting an increase of 1.1% pts) mainly driven by an improvement in Escode of 2.6% pts (noting Cyber Security excluding non-core disposals has remained broadly flat at c.37%). Encouragingly, comparing H2 2025 with H1 2025 Cyber Security gross margin has increased by 2.0% pts to 38.0% reflecting the increased shift in mix towards the higher margin Managed Services business.

Administrative expenses (excluding share-based payments, depreciation and amortisation, and amortisation of acquired intangibles) have decreased by 2.4% from £91.4m to £89.2m, after taking into account inflationary wage increases. This movement was primarily driven by lower payroll costs (following the globalisation of certain back office functions to Manila) and savings in rent and rates during the year, offset by unfavourable exchange rate movements.

Alternative Performance Measures (APMs)

Throughout this Financial Review, certain APMs are presented. The APMs used by the Group are not defined terms under IFRS and therefore may not be comparable with similarly titled measures reported by other companies. They are not intended to be a substitute for, or superior to, IFRS measures. This presentation is also consistent with the way that financial performance is measured by management and reported to the Board, and the basis of financial measures for senior management’s compensation scheme, and provides supplementary information that assists the user in understanding the financial performance, position and trends of the Group. We believe these APMs provide readers with important additional information on our business, and this information is relevant for use by investors, securities analysts and other interested parties as supplemental measures of future potential performance. However, since statutory measures can differ significantly from the APMs and may be assessed differently by the reader, we encourage you to consider these figures together with statutory reporting measures noted. Specifically, we would note that APMs may not be comparable across different companies and that certain profit related APMs may exclude recurring business transactions (e.g. acquisition related costs) that impact financial performance and cash flows.

As previously reported, the Group only discloses one adjusted item: “Individually Significant Items” (which includes the £11.4m profit on disposal of Fox Crypto and £9.5m of fundamental re-organisation, strategic review of Escode costs and strategic review of the Cyber business costs). As the £11.4m profit on disposal of Crypto represents a material gain, it has been disclosed separately on the face of the statutory income statement within the Group’s consolidated Income Statement.

The Group has the following APMs/non-statutory measures:
* Adjusted EBITDA (reconciled below)
* Adjusted operating profit (reconciled below)
* Adjusted profit for the year (reconciled below)
* Adjusted basic EPS (pence) (reconciled below)
* Net cash/(debt) excluding lease liabilities (reconciled below)
* Net cash/(debt) (reconciled below)
* Cash conversion which includes Adjusted EBITDA (reconciled below)
* Constant currency revenue (reconciled below)

The above APMs are consistent with those reported for the 16 month period ended 30 September 2024. The Group reports certain geographic regions and service capabilities on a constant currency basis to reflect the underlying performance considering constant foreign exchange rates period on period. This involves translating comparative numbers to current period rates for comparability to enable a growth factor to be calculated. As these measures are not statutory revenue numbers, management considers these to be APMs; see unaudited Appendix 1 for further details.# Strategic report NCC Group plc — Annual report and accounts for the year ended 30 September 2025 43

Alternative Performance Measures (APMs) continued

Adjusted EBITDA and Adjusted operating profit

1 Adjusted EBITDA 1 and Adjusted operating profit 1,2 are reconciled to statutory measures below:

	Year ended 30 September 2025 £m	16 month period ended 30 September 2024 £m
Operating profit/(loss) from continuing operations 3	0.7	(47.8)
Operating profit from discontinuing operations 3	24.9	28.6
Operating profit/(loss)	25.6	(19.2)
Depreciation and amortisation	11.9	16.8
Amortisation of acquired intangibles	8.1	12.5
Individually Significant Items	(1.9)	41.5
Adjusted EBITDA 1,2	43.7	51.6
Depreciation, amortisation and amortisation charge on acquired intangibles	(20.0)	(29.3)
Adjusted operating profit 1,2	23.7	22.3

	Year ended 30 September 2025 £m	12 month period ended 30 September 2024 £m	% change
Cyber Security (excluding Crypto and DetACT)	16.7	18.5	(9.7%)
Central and head office	(7.0)	(4.8)	(45.8%)
Escode (discontinued operations)	30.9	28.4	8.8%
Total Adjusted EBITDA 1,2 (excluding Crypto and DetACT)	40.6	42.1	(3.6%)
Crypto and DetACT	3.1	7.6	(59.2%)
Total Adjusted EBITDA 1,2	43.7	49.7	(12.1%)

1 Revenue at constant currency, Adjusted EBITDA, Adjusted operating profit, Adjusted basic EPS, net cash/(debt) excluding lease liabilities and cash conversion are Alternative Performance Measures (APMs) and not IFRS measures. See unaudited Appendix 1 and this Financial Review for an explanation of APMs and adjusting items, including a reconciliation to statutory information.

2 The Group reports only one adjusted item: Individually Significant Items (includes the £11.4m profit on disposal of Fox Crypto and £9.5m of re-organisation, strategic review of Escode costs and strategic review of the Cyber business costs). For further details, please refer to unaudited Appendix 1 and the Financial Review, which includes an explanation of APMs and adjusting items, along with a reconciliation to statutory information.

3 During the year, Escode incurred £6.8m (2024: £9.6m) of allocated head office overheads, which have been included within Escode’s administrative expenses. To reconcile to Escode’s statutory operating profit, these costs are reallocated to central and head office administrative expenses in accordance with the requirements of IFRS 5 on discontinued operations.

Revenue summary

Comparing the year ended 30 September 2025 with the prior 16 month period ended 30 September 2024, overall revenue is analysed as follows:

	Year ended 30 September 2025 £m	16 month period ended 30 September 2024 £m	% change at actual rates	Year ended 30 September 2025 £m	Constant currency 1 16 month period ended 30 September 2024 £m	% change at constant currency 1
Cyber Security revenue	238.9	342.1	(30.2%)	238.9	338.0	(29.3%)
Escode (discontinued operations)	66.5	87.4	(23.9%)	66.5	86.1	(22.8%)
Total revenue	305.4	429.5	(28.9%)	305.4	424.1	(28.0%)

Comparing year on year, overall revenue is analysed as follows:

	Year ended 30 September 2025 £m	Year ended 30 September 2024 £m	% change at actual rates	Year ended 30 September 2025 £m	Constant currency 1 12 month period ended 30 September 2024 £m	% change at constant currency 1
Cyber Security revenue (excluding Crypto and DetACT)	227.4	239.2	(4.9%)	227.4	236.8	(4.0%)
Crypto and DetACT	11.5	24.0	(52.1%)	11.5	23.7	(51.5%)
Total Cyber Security revenue	238.9	263.2	(9.2%)	238.9	260.5	(8.3%)
Escode (discontinued operations)	66.5	66.0	0.8%	66.5	65.1	2.2%
Total revenue	305.4	329.2	(7.2%)	305.4	325.6	(6.2%)

Financial review continued NCC Group plc — Annual report and accounts for the year ended 30 September 2025 44

	Year ended 30 September 2025 £m	Year ended 30 September 2024 £m	% change at actual rates	Year ended 30 September 2025 £m	Constant currency 1 12 month period ended 30 September 2024 £m	% change at constant currency 1
Cyber Security revenue (excluding Crypto and DetACT)	227.4	239.2	(4.9%)	227.4	236.8	(4.0%)
Escode (discontinued operations)	66.5	66.0	0.8%	66.5	65.1	2.2%
Total revenue (excluding Crypto and DetACT)	293.9	305.2	(3.7%)	293.9	301.9	(2.6%)
Crypto and DetACT	11.5	24.0	(52.1%)	11.5	23.7	(51.5%)
Total revenue	305.4	329.2	(7.2%)	305.4	325.6	(6.2%)

Comparing the two halves of the year against their respective prior period comparatives is as follows:

	6 month period ended 31 March 2025 £m	6 month period ended 31 March 2024 £m	% change at actual rates	6 month period ended 31 March 2025 £m	Constant currency 1 6 month period ended 31 March 2024 £m	% change at constant currency 1
Cyber Security revenue (excluding Crypto and DetACT)	112.0	120.8	(7.3%)	112.0	119.5	(6.3%)
Crypto and DetACT	11.5	13.1	(12.2%)	11.5	12.7	(9.4%)
Total Cyber Security revenue	123.5	133.9	(7.8%)	123.5	132.2	(6.6%)
Escode (discontinued operations)	33.3	32.9	1.2%	33.3	32.7	1.8%
Total revenue	156.8	166.8	(6.0%)	156.8	164.9	(4.9%)

	6 month period ended 30 September 2025 £m	6 month period ended 30 September 2024 £m	% change at actual rates	6 month period ended 30 September 2025 £m	Constant currency 1 6 month period ended 30 September 2024 £m	% change at constant currency 1
Cyber Security revenue (excluding Crypto and DetACT)	115.4	118.4	(2.5%)	115.4	117.3	(1.6%)
Crypto and DetACT	—	10.9	(100.0%)	—	11.0	(100.0%)
Total Cyber Security revenue	115.4	129.3	(10.8%)	115.4	128.3	(10.1%)
Escode (discontinued operations)	33.2	33.1	0.3%	33.2	32.4	2.5%
Total revenue	148.6	162.4	(8.5%)	148.6	160.7	(7.5%)

From an overall revenue trajectory perspective by originating region, the following tables compare H2 2025 performance with H1 2025:

	6 month period ended 30 September 2025 £m	6 month period ended 31 March 2025 £m	% change at actual rates
Cyber Security revenue (excluding Crypto and DetACT)	115.4	112.0	3.0%
Crypto and DetACT	—	11.5	(100.0%)
Total Cyber Security revenue	115.4	123.5	(6.6%)
Escode (discontinued operations)	33.2	33.3	(0.3%)
Total revenue	148.6	156.8	(5.2%)

1 Revenue at constant currency is an unaudited Alternative Performance Measures (APMs) and not an IFRS measure. See unaudited Appendix 1 for an explanation of APMs and adjusting items, including a reconciliation to statutory information.

Strategic report NCC Group plc — Annual report and accounts for the year ended 30 September 2025 45

Gross profit summary

	Year ended 30 September 2025 £m	Year ended 30 September 2025 % margin	12 month period ended 30 September 2024 £m	12 month period ended 30 September 2024 % margin	% pts change
Cyber Security gross profit (excluding Crypto and DetACT)	83.3	36.6%	88.5	37.0%	(0.4%)
Escode (discontinued operations)	47.5	71.4%	45.4	68.8%	2.6%
Total gross profit (excluding Crypto and DetACT)	130.8	44.5%	133.9	43.9%	0.6%
Crypto and DetACT	5.1	44.3%	9.0	37.5%	6.8%
Total gross profit and % margin	135.9	44.5%	142.9	43.4%	1.1%

Divisional performance

The following sections summarise the Group’s divisional performance for the year ended 30 September 2025, following the 16 month period ended 30 September 2024. It also compares the results for the year ended 30 September 2025 with the unaudited 12 months to 30 September 2024, including an analysis of each year’s composition by reviewing the first and second halves and their respective comparative periods (unaudited).

Cyber Security

The Cyber Security division accounts for 78.2% of Group revenue (16 month period ended 30 September 2024: 79.7%) and 65.0% of Group gross profit (16 month period ended 30 September 2024: 66.0%).

Cyber Security revenue analysis – by originating region:

	Year ended 30 September 2025 £m	16 month period ended 30 September 2024 £m	% change at actual rates	Year ended 30 September 2025 £m	Constant currency 1 16 month period ended 30 September 2024 £m	% change at constant currency 1
UK and APAC	134.4	173.3	(22.4%)	134.4	172.8	(22.2%)
North America	56.7	90.7	(37.5%)	56.7	88.0	(35.6%)
Europe	47.8	78.1	(38.8%)	47.8	77.2	(38.1%)
Total Cyber Security revenue	238.9	342.1	(30.2%)	238.9	338.0	(29.3%)

Cyber Security revenue, analysed year on year by originating region, is as follows:

	Year ended 30 September 2025 £m	12 month period ended 30 September 2024 £m	% change at actual rates	Year ended 30 September 2025 £m	Constant currency 1 12 month period ended 30 September 2024 £m	% change at constant currency 1
UK and APAC	134.4	135.5	(0.8%)	134.4	135.2	(0.6%)
North America	56.7	67.0	(15.4%)	56.7	65.1	(12.9%)
Europe (excluding Crypto and DetACT)	36.3	36.7	(1.1%)	36.3	36.5	(0.5%)
Cyber Security revenue (excluding Crypto and DetACT)	227.4	239.2	(4.9%)	227.4	236.8	(4.0%)
Crypto and DetACT	11.5	24.0	(52.1%)	11.5	23.7	(51.5%)
Total Cyber Security revenue	238.9	263.2	(9.2%)	238.9	260.5	(8.3%)

Comparing the two halves of the year against their respective prior period comparatives, Cyber Security revenue by originating region is analysed as follows:

	6 month period ended 31 March 2025 £m	6 month period ended 31 March 2024 £m	% change at actual rates	6 month period ended 31 March 2025 £m	Constant currency 1 6 month period ended 31 March 2024 £m	% change at constant currency 1
UK and APAC	65.4	69.1	(5.4%)	65.4	69.0	(5.2%)
North America	28.6	33.4	(14.4%)	28.6	32.9	(13.1%)
Europe (excluding Crypto and DetACT)	18.0	18.3	(1.6%)	18.0	17.6	2.3%
Cyber Security revenue (excluding Crypto and DetACT)	112.0	120.8	(7.3%)	112.0	119.5	(6.3%)

NCC Group plc — Annual report and accounts for the year ended 30 September 202546

6 month period ended 30 September 2025 £m	6 month period ended 30 September 2024 £m	% change at actual rates	6 month period ended 30 September 2025 £m	Constant currency 1	6 month period ended 30 September 2024 £m	% change at constant currency 1
UK and APAC	69.0	66.4	3.9%	69.0	66.2	4.2%
North America	28.1	33.6	(16.4%)	28.1	32.2	(12.7%)
Europe (excluding Crypto and DetACT)	18.3	18.4	(0.5%)	18.3	18.9	(3.2%)
Cyber Security revenue (excluding Crypto and DetACT)	115.4	118.4	(2.5%)	115.4	117.3	(1.6%)
Crypto and DetACT	—	10.9	(100.0%)	—	11.0	(100.0%)
Total Cyber Security revenue	115.4	129.3	(10.8%)	115.4	128.3	(10.1%)

From a Cyber Security revenue trajectory perspective by originating region, the following tables compare H2 2025 performance with H1 2025:

6 month period ended 30 September 2025 £m	6 month period ended 31 March 2025 £m	% change at actual rates	6 month period ended 30 September 2025 £m	Constant currency 1	6 month period ended 31 March 2025 £m	% change at constant currency 1
UK and APAC	69.0	65.4	5.5%	69.0	65.2	5.8%
North America	28.1	28.6	(1.7%)	28.1	28.2	(0.4%)
Europe (excluding Crypto and DetACT)	18.3	18.0	1.7%	18.3	18.0	1.7%
Cyber Security revenue (excluding Crypto and DetACT)	115.4	112.0	3.0%	115.4	111.4	3.6%
Crypto and DetACT	—	11.5	(100.0%)	—	11.5	(100.0%)
Total Cyber Security revenue	115.4	123.5	(6.6%)	115.4	122.9	(6.1%)

Cyber Security revenue analysis – by type of service and capability:

Year ended 30 September 2025 £m	16 month period ended 30 September 2024 £m	% change at actual rates	Year ended 30 September 2025 £m	Constant currency 1	16 month period ended 30 September 2024 £m	% change at constant currency 1
Technical Assurance Services (TAS)	88.4	141.4	(37.5%)	88.4	138.9	(36.4%)
Consulting and Implementation (C&I)	48.5	55.2	(12.1%)	48.5	54.6	(11.2%)
Managed Services (MS)	76.4	91.8	(16.8%)	76.4	91.2	(16.2%)
Digital Forensics and Incident Response (DFIR)	13.1	20.6	(36.4%)	13.1	20.4	(35.8%)
Other services	12.5	33.1	(62.2%)	12.5	32.6	(61.7%)
Total Cyber Security revenue	238.9	342.1	(30.2%)	238.9	333.7	(28.4%)

Cyber Security revenue, analysed year on year by service and capability, is as follows:

Year ended 30 September 2025 £m	12 month period ended 30 September 2024 £m	% change at actual rates	Year ended 30 September 2025 £m	Constant currency 1	12 month period ended 30 September 2024 £m	% change at constant currency 1
Technical Assurance Services (TAS)	88.4	105.6	(16.3%)	88.4	104.0	(15.0%)
Consulting and Implementation (C&I)	48.5	42.2	14.9%	48.5	41.6	16.6%
Managed Services (MS)	76.4	74.5	2.6%	76.4	74.3	2.8%
Digital Forensics and Incident Response (DFIR)	13.1	15.1	(13.2%)	13.1	15.0	(12.7%)
Other services	1.0	1.8	(44.4%)	1.0	1.9	(47.4%)
Cyber Security revenue (excluding Crypto and DetACT)	227.4	239.2	(4.9%)	227.4	236.8	(4.0%)
Crypto and DetACT	11.5	24.0	(52.1%)	11.5	23.7	(51.5%)
Total Cyber Security revenue	238.9	263.2	(9.2%)	238.9	260.5	(8.3%)

Strategic report NCC Group plc — Annual report and accounts for the year ended 30 September 2025 47

Divisional performance continued

Cyber Security continued

Comparing the two halves of the year against their respective prior period comparatives, Cyber Security revenue by service and capability is analysed as follows:

6 month period ended 31 March 2025 £m	6 month period ended 31 March 2024 £m	% change at actual rates	6 month period ended 31 March 2025 £m	Constant currency 1	6 month period ended 31 March 2024 £m	% change at constant currency 1
Technical Assurance Services (TAS)	45.6	52.9	(13.8%)	45.6	52.2	(12.6%)
Consulting and Implementation (C&I)	21.9	22.7	(3.5%)	21.9	22.5	(2.7%)
Managed Services (MS)	37.7	36.9	2.2%	37.7	36.6	3.0%
Digital Forensics and Incident Response (DFIR)	6.3	7.7	(18.2%)	6.3	7.6	(17.1%)
Other services	0.5	0.5	—	0.5	0.6	(16.7%)
Cyber Security revenue (excluding Crypto and DetACT)	112.0	120.7	(7.2%)	112.0	119.5	(6.3%)
Crypto and DetACT	11.5	13.2	(12.9%)	11.5	12.7	(9.4%)
Total Cyber Security revenue	123.5	133.9	(7.8%)	123.5	132.2	(6.6%)

6 month period ended 30 September 2025 £m	6 month period ended 30 September 2024 £m	% change at actual rates	6 month period ended 30 September 2025 £m	Constant currency 1	6 month period ended 30 September 2024 £m	% change at constant currency 1
Technical Assurance Services (TAS)	42.8	52.8	(18.9%)	42.8	51.8	(17.4%)
Consulting and Implementation (C&I)	26.6	19.5	36.4%	26.6	19.1	39.3%
Managed Services (MS)	38.7	37.5	3.2%	38.7	37.7	2.7%
Digital Forensics and Incident Response (DFIR)	6.8	7.4	(8.1%)	6.8	7.4	(8.1%)
Other services	0.5	1.4	(64.3%)	0.5	1.3	(61.5%)
Cyber Security revenue (excluding Crypto and DetACT)	115.4	118.6	(2.7%)	115.4	117.3	(1.6%)
Crypto and DetACT	—	10.7	(100.0%)	—	11.0	(100.0%)
Total Cyber Security revenue	115.4	129.3	(10.8%)	115.4	128.3	(10.1%)

From a Cyber Security revenue trajectory perspective by service and capability, the following tables compare H2 2025 performance with H1 2025:

6 month period ended 30 September 2025 £m	6 month period ended 31 March 2025 £m	% change at actual rates	6 month period ended 30 September 2025 £m	Constant currency 1	6 month period ended 31 March 2025 £m	% change at constant currency 1
Technical Assurance Services (TAS)	42.8	45.6	(6.1%)	42.8	45.1	(5.1%)
Consulting and Implementation (C&I)	26.6	21.9	21.5%	26.6	21.6	23.1%
Managed Services (MS)	38.7	37.7	2.7%	38.7	37.4	3.5%
Digital Forensics and Incident Response (DFIR)	6.8	6.3	7.9%	6.8	6.3	7.9%
Other services	0.5	0.5	—	0.5	0.5	—
Cyber Security revenue (excluding Crypto and DetACT)	115.4	112.0	3.0%	115.4	110.9	4.1%
Crypto and DetACT	—	11.5	(100.0%)	—	11.5	(100.0%)
Total Cyber Security revenue	115.4	123.5	(6.6%)	115.4	122.4	(5.8%)

¹ Revenue at constant currency is an unaudited Alternative Performance Measures (APMs) and not an IFRS measure. See unaudited Appendix 1 for an explanation of APMs and adjusting items, including a reconciliation to statutory information.

Financial review continued NCC Group plc — Annual report and accounts for the year ended 30 September 202548

Divisional performance continued

Cyber Security gross profit is analysed as follows:

Year ended 30 September 2025 £m	Year ended 30 September 2025 % margin	16 month period ended 30 September 2024 £m	16 month period ended 30 September 2024 % margin	% pts change
UK and APAC	54.2	40.3%	72.5	41.8%
North America	16.1	28.4%	18.4	20.3%
Europe	18.1	37.9%	27.1	34.7%
Cyber Security gross profit and % margin	88.4	37.0%	118.0	34.5%

Cyber Security gross margins increased overall by +2.5 percentage points, driven by improvements in North American and European margins, which reflect ongoing benefits from headcount reduction cost savings/improved utilisation in these markets.

Year ended 30 September 2025 £m	Year ended 30 September 2025 % margin	12 month period ended 30 September 2024 £m	12 month period ended 30 September 2024 % margin	% pts change
UK and APAC	54.2	40.3%	61.3	45.2%
North America	16.1	28.4%	14.8	22.1%
Europe	13.0	35.8%	12.4	33.8%
Cyber Security gross profit (excluding Crypto and DetACT)	83.3	36.6%	88.5	37.0%
Crypto and DetACT	5.1	44.3%	9.0	37.5%
Cyber Security gross profit and % margin	88.4	37.0%	97.5	37.0%

6 month period ended 31 March 2025 £m	6 month period ended 31 March 2025 % margin	6 month period ended 31 March 2024 £m	6 month period ended 31 March 2024 % margin	% pts change
UK and APAC	26.6	40.7%	31.4	45.4%
North America	6.4	22.4%	7.4	22.2%
Europe	6.4	35.6%	6.4	35.0%
Cyber Security gross profit (excluding Crypto and DetACT)	39.4	35.2%	45.2	37.4%
Crypto and DetACT	5.1	44.3%	3.8	29.0%
Cyber Security gross profit and % margin	44.5	36.0%	49.0	36.6%

6 month period ended 30 September 2025 £m	6 month period ended 30 September 2025 % margin	6 month period ended 30 September 2024 £m	6 month period ended 30 September 2024 % margin	% pts change
UK and APAC	27.6	40.0%	29.9	45.0%
North America	9.7	34.5%	7.4	22.0%
Europe	6.6	36.1%	6.0	32.6%
Cyber Security gross profit (excluding Crypto and DetACT)	43.9	38.0%	43.3	36.6%
Crypto and DetACT	—	—	5.2	47.7%
Cyber Security gross profit and % margin	43.9	38.0%	48.5	37.5%

6 month period ended 30 September 2025 £m	6 month period ended 30 September 2025 % margin	6 month period ended 31 March 2025 £m	6 month period ended 31 March 2025 % margin	% pts change
UK and APAC	27.6	40.0%	26.6	40.7%
North America	9.7	34.5%	6.4	22.4%
Europe	6.6	36.1%	6.4	35.6%
Cyber Security (excluding Crypto and DetACT)	43.9	38.0%	39.4	35.2%
Crypto and DetACT	—	—	5.1	44.3%
Cyber Security gross profit and % margin	43.9	38.0%	44.5	36.0%

Strategic report NCC Group plc — Annual report and accounts for the year ended 30 September 2025 49

Financial review continued

Divisional performance continued

Escode (discontinued operations)

During the year, the Escode division accounted for 21.8% of Group revenue (16 month period ended 30 September 2024: 20.3%) and 35.0% of Group gross profit (16 month period ended 30 September 2024: 34.0%).

Escode revenue analysis – by originating region:

Year ended 30 September 2025 £m	16 month period ended 30 September 2024 £m	% change at actual rates	Year ended 30 September 2025 £m	Constant currency 1	16 month period ended 30 September 2024 £m	% change at constant currency 1
UK	29.4	36.5	(19.5%)	29.4	36.5	(19.5%)
North America	32.9	45.5	(27.7%)	32.9	44.3	(25.7%)
Europe	4.2	5.4	(22.2%)	4.2	5.3	(20.8%)
Total Escode revenue	66.5	87.4	(23.9%)	66.5	86.1	(22.8%)

Escode revenue, analysed year on year by originating region, is as follows:

Year ended 30 September 2025 £m	Year ended 30 September 2024 £m	% change at actual rates	Year ended 30 September 2025 £m	Constant currency 1	Year ended 30 September 2024 £m	% change at constant currency 1
UK	29.4	28.0	5.0%	29.4	28.0	5.0%
North America	32.9	33.9	(2.9%)	32.9	33.1	(0.6%)
Europe	4.2	4.1	2.4%	4.2	4.0	5.0%
Total Escode revenue	66.5	66.0	0.8%	66.5	65.1	2.2%

Escode revenue has increased by 2.2% at constant currency (0.8% at actual rates), which has predominantly been driven by favourable price increases and volume during the year within verification services Escode has seen consistent growth for the same reasons when comparing each half of the year, as reflected in theThe following analysis compares the two halves of the year against their respective prior period comparatives, showing Escode revenue by originating region:

	6 month period ended 31 March 2025 £m	6 month period ended 31 March 2024 £m	% change at actual rates	6 month period ended 31 March 2025 £m Constant currency 1	6 month period ended 31 March 2024 £m Constant currency 1	% change at constant currency 1
UK	14.9	14.0	6.4%	14.9	14.0	6.4%
North America	16.4	16.8	(2.4%)	16.4	16.7	(1.8%)
Europe	2.0	2.1	(4.8%)	2.0	2.0	—
Total Escode revenue	33.3	32.9	1.2%	33.3	32.7	1.8%

	6 month period ended 30 September 2025 £m	6 month period ended 30 September 2024 £m	% change at actual rates	6 month period ended 30 September 2025 £m Constant currency 1	6 month period ended 30 September 2024 £m Constant currency 1	% change at constant currency 1
UK	14.5	14.0	3.6%	14.5	13.9	4.3%
North America	16.5	17.1	(3.5%)	16.5	16.5	—
Europe	2.2	2.0	10.0%	2.2	2.0	10.0%
Total Escode revenue	33.2	33.1	0.3%	33.2	32.4	2.5%

NCC Group plc — Annual report and accounts for the year ended 30 September 202550

From an Escode revenue trajectory perspective by originating region, the following tables compare H2 2025 performance with H1 2025:

	6 month period ended 30 September 2025 £m	6 month period ended 31 March 2025 £m	% change at actual rates	6 month period ended 30 September 2025 £m Constant currency 1	6 month period ended 31 March 2025 £m Constant currency 1	% change at constant currency 1
UK	14.5	14.9	(2.7%)	14.5	14.9	(2.7%)
North America	16.5	16.4	0.6%	16.5	15.5	6.5%
Europe	2.2	2.0	10.0%	2.2	2.1	4.8%
Total Escode revenue	33.2	33.3	(0.3%)	33.2	32.5	2.2%

Escode revenues analysed by service line:

	Year ended 30 September 2025 £m	16 month period ended 30 September 2024 £m	% change at actual rates	Year ended 30 September 2025 £m Constant currency 1	16 month period ended 30 September 2024 £m Constant currency 1	% change at constant currency 1
Escrow contracts	43.0	57.2	(24.8%)	43.0	56.5	(23.9%)
Verification services	23.5	30.2	(22.2%)	23.5	29.6	(20.6%)
Total Escode revenue	66.5	87.4	(23.9%)	66.5	86.1	(22.8%)

Escode revenue, analysed year on year by service line, is as follows:

	Year ended 30 September 2025 £m	12 month period ended 30 September 2024 £m	% change at actual rates	Year ended 30 September 2025 £m Constant currency 1	12 month period ended 30 September 2024 £m Constant currency 1	% change at constant currency 1
Escrow contracts	43.0	43.0	—	43.0	42.5	1.2%
Verification services	23.5	23.0	2.2%	23.5	22.6	4.0%
Total Escode revenue	66.5	66.0	0.8%	66.5	65.1	2.2%

Comparing the two halves of the year against their respective prior period comparatives, Escode revenue by service line is analysed as follows:

	6 month period ended 31 March 2025 £m	6 month period ended 31 March 2024 £m	% change at actual rates	6 month period ended 31 March 2025 £m Constant currency 1	6 month period ended 31 March 2024 £m Constant currency 1	% change at constant currency 1
Escrow contracts	22.0	22.0	—	22.0	21.8	0.9%
Verification services	11.3	10.9	3.7%	11.3	10.9	3.7%
Total Escode revenue	33.3	32.9	1.2%	33.3	32.7	1.8%

	6 month period ended 30 September 2025 £m	6 month period ended 30 September 2024 £m	% change at actual rates	6 month period ended 30 September 2025 £m Constant currency 1	6 month period ended 30 September 2024 £m Constant currency 1	% change at constant currency 1
Escrow contracts	21.0	21.0	—	21.0	20.7	1.4%
Verification services	12.2	12.1	0.8%	12.2	11.7	4.3%
Total Escode revenue	33.2	33.1	0.3%	33.2	32.4	2.5%

From an Escode service line revenue trajectory perspective the following tables compare H2 2025 against H1 2025 performance:

Strategic report

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 51

Divisional performance continued

Escode (discontinued operations) continued

	6 month period ended 30 September 2025 £m	6 month period ended 31 March 2025 £m	% change at actual rates	6 month period ended 30 September 2025 £m Constant currency 1	6 month period ended 31 March 2025 £m Constant currency 1	% change at constant currency 1
Escrow contracts	21.0	22.0	(4.5%)	21.0	21.4	(1.9%)
Verification services	12.2	11.3	8.0%	12.2	11.1	9.9%
Total Escode revenue	33.2	33.3	(0.3%)	33.2	32.5	2.2%

Escode gross margin, by originating region, is analysed as follows:

	Year ended 30 September 2025 £m	Year ended 30 September 2025 % margin	16 month period ended 30 September 2024 £m	16 month period ended 30 September 2024 % margin	% pts change
UK	20.6	70.1%	24.8	67.9 %	2.2%
North America	23.9	72.6%	32.6	71.6%	1.0%
Europe	3.0	71.4%	3.3	61.1%	10.3%
Escode gross profit and % margin	47.5	71.4%	60.7	69.5%	1.9%

Escode gross margin, analysed year on year by originating region, is as follows:

	Year ended 30 September 2025 £m	Year ended 30 September 2025 % margin	12 month period ended 30 September 2024 £m	12 month period ended 30 September 2024 % margin	% pts change
UK	20.6	70.1%	19.0	67.9%	2.2%
North America	23.9	72.6%	24.1	71.1%	1.5%
Europe	3.0	71.4%	2.3	56 .1%	15.3%
Escode gross profit and % margin	47.5	71.4%	45.4	68.8%	2.6%

Escode gross margin has increased by +2.6% pts, with UK and North America increasing by +2.2% pts and +1.5% pts respectively and Europe increasing by +15.3%. This is due to the continued benefits arising from previous investments enabling Escode to achieve sustainable revenue growth and gross margin improvements. The improvement in gross margin was driven primarily by favourable price increases and operating efficiencies.

Comparing the two halves of the year against their respective prior period comparatives, Escode gross profit by originating region is analysed as follows:

	6 month period ended 31 March 2025 £m	6 month period ended 31 March 2025 % margin	6 month period ended 31 March 2024 £m	6 month period ended 31 March 2024 % margin	% pts change
UK	10.2	68.5%	9.5	67. 9 %	0.6%
North America	11.7	71.3%	11.7	69.6%	1.7%
Europe	1.4	70.0%	1.2	57.1%	12.9%
Escode gross profit and % margin	23.3	70.0%	22.4	68.1%	1.9%

	6 month period ended 30 September 2025 £m	6 month period ended 30 September 2025 % margin	6 month period ended 30 September 2024 £m	6 month period ended 30 September 2024 % margin	% pts change
UK	10.4	71.7%	9.5	67. 9 %	3.8%
North America	12.2	73.9%	12.4	72.5%	1.4%
Europe	1.6	72.7%	1.1	55.0%	17.7%
Escode gross profit and % margin	24.2	72.9%	23.0	69.5%	3.4%

Financial review continued

NCC Group plc — Annual report and accounts for the year ended 30 September 202552

When comparing H2 2025 performance to H1 2025, the following table summarises the gross margin trajectory:

	6 month period ended 30 September 2025 £m	6 month period ended 30 September 2025 % margin	6 month period ended 31 March 2025 £m	6 month period ended 31 March 2025 % margin	% pts change
UK	10.4	71.7%	10.2	68.5%	3.2%
North America	12.2	73.9%	11.7	71.3%	2.6%
Europe	1.6	72.7%	1.4	70.0%	2.7%
Escode gross profit and % margin	24.2	72.9%	23.3	70.0%	2.9%

Overall Escode gross margin has increased by 2.9% in H2 2025 compared to H1 2025. This is predominantly driven by an improvement in UK and North America Escode which have increased by 3.2% and 2.6% respectively. These improvements continue to reflect an increased shift towards a more global operating model for Escode, following the change in sales team structure during the year.

Individually Significant Items

During the year, the Group has incurred a £1.9m credit in Individually Significant Items (ISIs) (2024: £41.5m) as follows:

	2025 £m	2024 £m
Fundamental re-organisation costs	3.9	9.4
Costs associated with strategic review of Escode business	3.8	0.1
Costs associated with strategic review of Cyber business	1.8	—
Profit on disposal of DetACT/DDI	—	(1.5)
North America Cyber Security goodwillimpairment	—	31.9
Transaction costs of Fox Crypto	—	1.6
Total ISIs (excluding profit on disposal of Fox Crypto)	9.5	41.5
Profit on disposal of Fox Crypto	(11.4)	—
Total ISIs	(1.9)	41.5

The £11.4m gain on disposal of Fox Crypto recognised in the year ended 30 September 2025 is calculated as cash consideration of £65.6m, less net assets disposed of £52.3m, and less £2.0m of transaction costs incurred during the year. The difference between the £11.4m gain recorded in the year and the £9.8m overall gain (see Note 31) reflects £1.5m of transaction costs incurred in the 16 month period ended 30September 2024, which are not included in the current year. In addition, £0.1m of TSA income has been accrued during the year. As this represents a material gain on disposal, it has been separately disclosed on the face of the Groups statutory consolidated Income Statement.

ISIs also include £3.9m (2024: £9.4m) of fundamental re-organisation costs as we continue to reshape the Group in line with its strategy, with the current intention to complete the final phase by December 2025. However, this will continue to be monitored as the transformation strategy progresses as we ensure the operating model is market aligned, and delivery is focused to support the underlying Cyber Security business strategy. £3.8m (2024: £0.1m) of professional fees in relation to the ongoing strategic review of Escode have also been incurred during the year. Regarding the strategic review of Cyber (the “Cyber Review”), professional fees of £1.8m (2024: £nil) have been incurred during the year.

Finance costs

The Group’s finance costs (including discontinued operations of £0.1m) for the year ended 30 September 2025 were £5.0m (2024: £8.3m). This annualised reduction in finance costs resulted from the Group’s repayment of external borrowings part way through the year, following the receipt of gross cash proceeds of £65.6m from the completion of the Fox Crypto disposal in March 2025. Finance costs include lease financing costs of £1.1m (2024: £1.7m), with a reduction due to the Group’s property rationalisation.# Strategic report

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 53

Financial review continued

Earnings/(loss) per share (EPS)

Year ended 30 September 2025	16 month period ended 30 September 2024
Statutory
Statutory profit/(loss) for the year/period from continuing operations	17.1
Basic earnings/(loss) per share	5.6p
Diluted earnings/(loss) per share	5.5p
Adjusted
Adjusted profit for the year/period	14.5
Basic EPS	4.7p
Diluted EPS	4.6p
Weighted average number of shares (million)
Basic	307.1
Diluted	312.3

1 See Note 3 of the Consolidated Financial Statements for the composition of how the Group’s statutory profit/(loss) for the year/period is comprised between continuing operations and discontinued operations.

Earnings/(loss) per share (EPS) continued

Adjusted basic EPS 1 is reconciled as follows:

	Year ended 30 September 2025	16 month period ended 30 September 2024
Statutory profit/(loss) for the year/period	17.1	(32.5)
Individually Significant Items (Note 4)	9.5	39.9
(Profit on disposal)/transaction costs of Fox Crypto (Note 4)	(11.4)	1.6
Tax effect of Individually Significant Items	(0.7)	(5.8)
North America deferred tax asset derecognition (adjusting item)	—	7.4
Adjusted profit for the year/period	14.5	10.6

Reconciliation of net debt

1 The table below summarises the Group’s cash flow and net debt 1 (including discontinued operations):

	Year ended 30 September 2025 £m	Year ended 30 September 2024 £m	16 month period ended 30 September 2024 £m
Operating cash inflow before movements in working capital	38.7	50.6	48.5
Movement in working capital and non-payables	1.2	(2.6)	(10.1)
Cash generated from operating activities before interest and taxation	39.9	48.0	38.4
Interest element of lease payments	(1.1)	(1.6)	(1.7)
Finance interest paid	(3.3)	(5.9)	(6.0)
Taxation paid	(2.0)	(2.1)	(4.3)
Net cash generated from operating activities	33.5	38.4	26.4
Purchase of property, plant and equipment	(4.7)	(4.3)	(6.2)
Software and development expenditure	(0.4)	(1.3)	(2.6)
Acquisition of trade and assets as part of a business combination	—	—	(1.0)
Sale proceeds from business disposals	61.4	10.4	12.4
Equity dividends paid	(19.0)	(14.5)	(14.5)
Repayment of lease liabilities (principal amount)	(6.8)	(7.9)	(10.2)
Acquisition of treasury shares	(5.8)	(5.8)	(5.8)
Proceeds from the issue of ordinary share capital	0.3	0.3	0.3
Net movement	58.5	15.3	(1.2)
Opening net debt (excluding lease liabilities) 1	(45.3)	(67.5)	(49.6)
Non-cash movements (release of deferred issue costs)	(0.5)	(0.5)	(0.6)
Foreign exchange movement	0.4	7.4	6.1
Closing net cash/(debt) excluding lease liabilities 1	13.1	(45.3)	(45.3)
Lease liabilities	(19.5)	(27.6)	(27.6)
Closing net debt 1	(6.4)	(72.9)	(72.9)

2 The Group reports only one adjusted item: Individually Significant Items (which includes the £11.4m profit on disposal of Fox Crypto and £9.5m of fundamental re-organisation, strategic review of Escode and strategic review of Cyber costs). For further details, please refer to unaudited Appendix 1 and this Financial Review, which includes an explanation of APMs and adjusting items, along with a reconciliation to statutory information. The gain on disposal of Fox Crypto was non-taxable.

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 54

Financial review continued

	Year ended 30 September 2025 £m	16 month period ended 30 September 2024 £m
Cash and cash equivalents	16.4	29.8
Bank overdraft	—	(13.6)
Borrowings (net of deferred issue costs) – continuing operations	(3.3)	(61.5)
Net cash/(debt) excluding lease liabilities 1	13.1	(45.3)
Lease liabilities	(19.5)	(27.6)
Net debt 1	(6.4)	(72.9)

Net cash/(debt), excluding lease liabilities, for discontinued and continuing operations is presented below:

	Year ended 30 September 2025 £m	16 month period ended 30 September 2024 £m
Net cash/(debt) excluding lease liabilities 1 – continuing operations	9.2	(47.3)
Net cash excluding lease liabilities 1 – discontinuing operations	3.9	2.0
Net cash/(debt) excluding lease liabilities 1	13.1	(45.3)
Net debt 1	(6.4)	(72.9)

Net debt 1 can be reconciled as follows:

Reconciliation of net change in cash and cash equivalents to movement in net debt 1 :

	Year ended 30 September 2025 £m	16 month period ended 30 September 2024 £m
Net decrease in cash and cash equivalents (inc. bank overdraft)	(1.0)	(18.4)
Change in net debt 1 resulting from cash flows (net of deferred issue costs)	59.2	17.2
Release of deferred issue costs	(0.5)	(0.6)
Issue costs related to borrowings (non-cash)	0.3	—
Effect of foreign currency on cash flows	1.2	2.3
Foreign currency translation differences on borrowings	(0.8)	3.8
Change in net debt 1 during the year/period	58.4	4.3
Net debt 1 at start of period excluding lease liabilities	(45.3)	(49.6)
Net cash/(debt) 1 at end of period excluding lease liabilities	13.1	(45.3)
Lease liabilities	(19.5)	(27.6)
Net debt 1 at end of year/period	(6.4)	(72.9)

1 Net cash/(debt) and Net cash/(debt) excluding lease liabilities are Alternative Performance Measures (APMs) and not IFRS measures. See unaudited Appendix 1 and this Financial Review for an explanation of APMs and adjusting items, including a reconciliation to statutory information.

The reduction in net debt is predominantly driven by the completion of the Fox Crypto disposal in March 2025, where the Group received sale proceeds (net of cash disposed of) of £61.4m. This amount has been utilised to reduce the Group’s borrowings during the year.

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 55

Financial review continued

Reconciliation of net debt 1 continued

The calculation of the cash conversion ratio 1 is set out below:

	Year ended 30 September 2025 £m	Year ended 30 September 2024 £m	16 month period ended 30 September 2024 £m
Operating cash flow before interest and taxation	39.9	48.0	38.4
Adjusted EBITDA 1,2	43.7	49.7	51.6
Cash conversion ratio 1,2 (%)	91.3%	96.6%	74.4%

Cash conversion has improved by 16.9% pts to 91.3% as at 30 September 2025 (when compared to the previous audited period), primarily driven by stronger performance in the second half of the year and favourable movements in the Group’s working capital, reflecting improved collectability. For reference, cash conversion was 62.3% in H1 2025 and 119.4% in H2 2025.

Cash capital expenditure during the period was £5.1m (2024: £8.8m), which includes tangible asset expenditure of £4.7m (2024: £6.2m) and capitalised software and development costs of £0.4m (2024: £2.6m). Following the opening of our new Fox-IT office in October 2025, the Group incurred £1.6m of tangible capital expenditure during the year to fit out the premises and make the office operational.

During the year, the Company acquired treasury shares (4,000,000 ordinary shares) for £5.8m, this follows shares (4,000,000 ordinary shares) purchased in the prior period 2024 for £5.8m. The shares are held in the EBT, which is a discretionary trust for the benefit of the Group’s colleagues. The shares will be used to satisfy the future vesting requirements of share plans the Company operates under the Long Term Incentive Plan, the Restricted Share Plan and other discretionary share plans. Following this purchase, and as at 30 September 2025, the EBT holds a total of 8,485,195 ordinary shares (2024: 5,158,090), equating to 2.69% of the Company’s issued share capital.

As announced on 21 October 2025, the Board will commence an initial share buy-back programme in December 2025/January 2026. This will be carried out under our existing shareholder authority and in line with our capital allocation policy, as well as all relevant legal and regulatory requirements. Our current dividend policy will remain unchanged by the share buy-back programme.

Dividends

During the year, total dividends of £9.2m were recognised and paid (2024: £14.5m). In addition, the interim dividend of £9.8m for the period ended 30 September 2024 (3.15p per share) was recognised in the prior period and paid during the year on 1 October 2024. The Board is proposing a final dividend of 3.15p per ordinary share for the year ended 30 September 2025, as it remains mindful of the continued need to invest in the Group’s strategy, marking 20 consecutive years of dividend payments for shareholders.The final dividend of 3.15p per ordinary share, which, together with the interim dividends of 1.50p and 1.50p per ordinary share paid on 4 April 2025 and 1 August 2025 respectively, makes a total dividend of 6.15p for the year ended 30 September 2025. The final dividend will be paid on 10 April 2026, subject to approval at the AGM on 3 March 2026, to shareholders on the register at the close of business on 13 March 2026. The ex-dividend date is 12 March 2026. The dividend has not been included as a liability as at 30 September 2025. The payment of this dividend will not have any tax consequences for the Group.

NCC Group plc — Annual report and accounts for the year ended 30 September 2025
56

Our FY26 framework

Looking forward to FY26, we will measure ourselves against the following goals:

Sustainable revenue growth

Deliver underlying growth in Cyber Security
Deliver return on sales investment in Cyber Security
Drive C&I and MS as a proportion of revenue
Maintain momentum in Escode

Improved gross margin

Increase Cyber utilisation from 70% to 75%
Data driven pricing and margin investment decision making
Drive enhanced benefits from globalised technical resource footprint

Efficiency for growth

Simplify operating model in Cyber and Escode to generate efficiencies
Drive consistent profit conversion in every market

Capital deployment supporting growth

Strong cash conversion
Sustain appropriate liquidity and debt facilities
Execute share buy-back programme
Dividend policy

Guy Ellis
Chief Financial Officer
11 December 2025

Strategic report

NCC Group plc — Annual report and accounts for the year ended 30 September 2025
57

Chair’s introduction to governance

Governance standards

The Board is committed to high standards of corporate governance and is pleased to confirm that throughout the year ended 30 September 2025, the Company complied with all relevant provisions of the UK Corporate Governance Code other than the fact that we have not undertaken a formal Board and Committee evaluation (the reasons why are set out below).

A key focus of the Code is culture and ensuring it aligns with the Group’s purpose, strategy and values. Culture has been high on the Board’s agenda for a long time and the Board considers culture to be an essential ingredient in meeting our long-term, sustainable returns to all stakeholders. The Board, the Executive Committee and senior management continue to promote our culture and standards throughout the business and lead by example to provide a strong corporate governance framework.

One of the most significant parts of the Code affecting NCC Group is in respect of workforce engagement. Our main stakeholder is our colleagues and we continue to maintain meaningful mechanisms to ensure that we, as a Board, have constructive and regular dialogue with our dedicated and committed workforce. This then puts us in a strong position to deliver our strategy. During the year, Julie Chakraverty, Senior Independent Director and designated Non-Executive Director for workforce engagement, has been continuing to reach out to colleagues across the business. As a people business, insights from our colleagues are invaluable; therefore, colleague engagement is a crucial area for us to continue to focus on and continue to get right. We have not let distance or differing time zones be a barrier to hearing our colleagues’ opinions around the Board table.

Our approach

The Directors have acted in a way they consider, in good faith, to be most likely to promote the long-term success of the Company. Our role as the Board is to set the strategy of the Group and ensure that management operates the business in accordance with our priorities. We believe this approach will promote the Group’s long-term success and our customers’ interests as well as creating value for shareholders and having regard to our other key stakeholders such as our colleagues. The Board’s intention is to hand over the business to our successors in a better and more sustainable position for the future. We recognise the continued focus on the contribution that a successful company can make to wider society in general, in addition to generating value for shareholders, and as a Board we want to ensure that we have effective engagement with, and encourage participation from, shareholders and other stakeholders. The Board acknowledges that there are competing priorities for different stakeholders but strives to balance the priorities, while ensuring decisions made are in the best interests of the Company.

Board composition and diversity

The biographies of all the Board members can be found on pages 62 and 63. There have been no changes to the Board during the year. With regard to our current diversity, I am satisfied that we have an appropriately diverse Board in terms of experience, skills and personal attributes among our Board members. The Directors have many years of experience gained across a variety of industries and sectors, ensuring a mix of views and providing a broad perspective.

Dear Shareholder

On behalf of the Board, I am pleased to present the Corporate Governance Report for the year ended 30 September 2025. Throughout the year the Board has worked cohesively as a team and I would like to thank each Director for their wise counsel and continued efforts during this time. The Board is composed of highly skilled and experienced Directors from a diverse range of industries and backgrounds, all of whom contribute towards the long-term success of the Company and show commitment and enthusiasm in the performance of their roles and duties. I would like to thank all of my Board colleagues for their commitment, support and flexibility over the past year.

We now meet as a Board predominantly face to face, but we still use virtual meetings for shorter update meetings or when we need to meet at short notice. This continued hybrid way of working has enabled us to maintain strong governance and robust decision making, delivering against our strategy. We had the opportunity during the year to hold a number of Board dinners either the night before or following Board meetings. This informal time together as a Board, which often has other colleagues from across the business in attendance, allows us to talk matters through and also fosters a culture of team and togetherness away from the more formal setting of the boardroom. The Board is committed to creating and maintaining a culture where strong levels of governance thrive throughout the organisation, specifically ensuring that we send out consistent messages on our values and principles for our colleagues, our customers, our suppliers and our advisers.

Chris Stone
Non-Executive Chair

NCC Group plc — Annual report and accounts for the year ended 30 September 2025
58

We recognise that we still have some progress to make in terms of improving the diversity of the Board and our executive team (and indeed our workforce as a whole). During the year ended 31 May 2021, we made the firm commitment that by 2024, we will have at least 33% female representation on our Board and at least one person of colour. We have now delivered on our commitment and are also on course to meet the FTSE Women Leaders Review and Listing Rules target of 40% female representation by the end of 2025. Although this is best practice for FTSE 350 companies, we have committed to this target regardless of which share index we are in. Our Board now has 43% female representation (three out of seven) and we will look to improve this further still during any future appointments to the Board. Improvements in diversity are often not a quick process but we are very mindful of the need to take positive action, and the matter continues to remain high on our agenda, as can be seen with the progress we have made over recent years. Accessing the candidates we require to reach this target will involve us looking beyond the obvious pool of existing board directors within the UK and we intend to ensure that we extend our talent search to other sectors and countries enabling us to find a diverse pool of candidates from which to choose to provide us with true diversity around our Board table.

To confirm, as at 30 September 2025, we complied with the following:

At least 40% of the individuals on our Board of Directors are women.
At least one of the senior positions on our Board of Directors is held by a woman (our Senior Independent Director).
At least one individual on our Board of Directors is from a minority ethnic background.

Effectiveness

As Chair, I am responsible for providing leadership to ensure that the Board operates effectively. I have been supported in this by all the Directors, but in particular our Senior Independent Director (Julie Chakraverty). The annual reviews of Board effectiveness help the Board to consider how it operates and how its operations can be improved. This year, we have not undertaken a formal review of the Board and its Committees. Building on our inaugural externally facilitated Board evaluation in 2023, we undertook a comprehensive internally facilitated Board and Committee evaluation in 2024, where we took significant time to discuss the output and agree actions in January 2025. We felt that we wanted further time to embed the actions from previous evaluations into how we operate and work together as a Board and felt that pausing the formal review process for a year was a sensible course of action. In addition, a significant amount of Board time and focus was taken up by a number of strategic considerations, as well as being in an “offer period” since mid-July 2025. We concluded that undertaking a Board and Committee evaluation process at this time would not be appropriate, given the significant level of activity currently underway.# Governance

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 59

Chair’s introduction to governance continued

In reaching this decision, the Board considered the importance of maintaining focus on critical strategic and operational priorities during a period of heightened activity. While evaluations are an integral component of good governance and support continuous improvement, the timing of such a process must ensure that it adds value rather than creating unnecessary burden or distraction. The Board remains committed to undertaking a comprehensive evaluation when circumstances allow, in line with best practice. Our intention is for our next review to be externally facilitated and we will look to undertake this during 2026. As a reminder, Board succession planning remains a priority, particularly as we look to ensure the Board and Executive Committee have the right set of skills and experience to support the Group as the business evolves.

Board tenure as at 30 September 2025

	2017	2018	2019	2020	2021	2022	2023	2024	2025
30 September:

Our investors

We are in regular contact with our large investors through a scheduled programme of meetings attended by our CEO, CFO and Chair. Julie Chakraverty (Senior Independent Director), Lynn Fordham (Audit Committee Chair) and Jennifer Duvalier (Remuneration Committee Chair) are also available to meet with investors should the need arise. In May 2025, we hosted an immersive experience to help our shareholders and analysts, along with other industry professionals from insurance brokers and financial services, to understand how we would help clients respond to cyber incidents. Particular highlights during the year were NCC Group winning the IR Society award for “Best IR Programme 2024 (Small Cap)”, and also being shortlisted for the IR Society award for “Best Communication of Sustainability 2024 (Small Cap)”. I continue to meet with our larger investors and report my findings to Board colleagues. Investor engagement has remained a priority throughout the year and has been conducted in full compliance with Offer Period regulations. In addition, our brokers have undertaken investor surveys following the half-year results, and the findings were presented and discussed at a Board meeting. Our objective is to maintain open, transparent, and meaningful dialogue with our shareholders. Ensuring that the Directors’ remuneration packages align the Directors’ and senior managers’ interests with the long-term interests of NCC Group and its shareholders is always a key area of interest for investors. The 2024 Directors’ Remuneration Policy received 89.61% of votes in favour at the 2025 AGM, and it was pleasing that our 2024 Directors’ Remuneration Report received 80.33% of votes in favour, recognising the continued appreciated support of our shareholders for our approach to executive remuneration.

Statement of compliance with the UK Corporate Governance Code

The Company measures itself against the requirements of the UK Corporate Governance Code 2018 (the “Code”), which is available on the Financial Reporting Council website (www.frc.org.uk). I can confirm that the Board has applied the principles and complied with the provisions of the UK Corporate Governance Code 2018 throughout the year to 30 September 2025 other than the fact that we have not undertaken a formal Board and Committee evaluation for the reasons explained earlier.

Thank you

We are immensely proud of our colleagues for their continuing extraordinary efforts, always acting in the best interests of our customers and our stakeholders. I would like to thank all our colleagues for their incredible contribution in stepping up and meeting the challenges that the Group has faced over the past year.

Chris Stone
Non-Executive Chair

11 December 2025

Mike Maddison	Guy Ellis	Chris Stone	Lynn Fordham	Julie Chakraverty	Jennifer Duvalier	Mike Ettling
8 years 6 months	3 years 3 months	2 years 3 months	3 years 9 months	7 years 5 months	8 years 0 months	3 years 1 month

NCC Group plc — Annual report and accounts for the year ended 30 September 202560

Governance framework

The different parts of the Company’s governance framework are shown below, with a description of how they operate and the linkages between them.

Executive Committee (“ExCom”): Currently comprises the Group’s most senior business and operational Executives. It is responsible for assisting the Chief Executive Officer in the performance of its duties including:
- Developing the budget
- Monitoring the performance of the different divisions of the Company against the plan
- Carrying out a formal risk review process
- Reviewing the Company’s policies and procedures
- Prioritisation and allocation of resources
- Overseeing the day-to-day running of the Company
- Being responsible for people, talent and culture
Chief Executive Officer: Provides leadership and is responsible for the overall management of NCC Group, and its strategy, long-term objectives and risk management. It ensures the right Company structure is in place to deliver long-term value to shareholders and other stakeholders.
Board: Has responsibility for managing the business and overseeing the implementation of the strategy agreed by the Board. (The Board has collective responsibility to promote the long-term sustainable success of the Group, ensuring due regard is paid to the interests of its stakeholders.)
Board Committees: Support the Board in its work with specific areas of review and oversight objectives and risk management. They ensure the right Company structure is in place to deliver long-term value to shareholders and other stakeholders. (The Board oversees the Group’s operations through a unitary Board and four principal Committees, being Audit, Nomination, Remuneration and Cyber Security. The terms of reference for these Committees can be found on our website. Further information on the work of these Committees can be found in later sections of this Annual Report and Accounts.)
Audit Committee: Primary function is to assist the Board in fulfilling its financial and risk responsibilities. It also reviews financial reporting, the internal controls in place and the external audit process. Read more on pages 71 to 76.
- Nomination Committee: Responsible for considering the Board’s structure, size, composition, diversity and succession planning. Read more on pages 77 and 78.
Cyber Security Committee: Responsible for overseeing and advising on the Group’s exposure to cyber risk, its future cyber risk strategy, its Cyber Security breach response, its crisis management plan and the review of reports on any Cyber Security incidents. Read more on pages 79 and 80.
Remuneration Committee: Responsible for determining the overall remuneration of the Executive Directors and the remuneration of senior managers (ExCom) within the broader institutional context of remuneration practice. Read more on pages 81 to 93.

For further details on Board composition and division of responsibilities, see pages 64 to 69.

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 61

Board of Directors

Our business is led by our Board of Directors. Biographical and other details of the Directors are as follows:

During the year a number of Directors took on additional appointments outside of their role with NCC Group. The Board considered these appointments and concluded that these appointments did not conflict with NCC Group, and the Director would have sufficient time to devote to NCC Group following the additional appointments, and that the appointments did not result in the Directors concerned being “overboarded”.

View our Executive Committee: nccgroupplc.com/our-board-executive-committee/

Other Directors during the year

No other Directors served on the Board during the year.

Chris Stone

Non-Executive Chair

Appointment to the Board: 6 April 2017
Career experience: Chris has held various Non-Executive Director and Chief Executive roles at listed and private equity backed technology companies. He was CEO of Northgate Information Solutions plc from 1999 to 2008, until its sale, and stayed as CEO until 2011. From 2013 to 2016, he was CEO of Radius Worldwide. Chris was also a Non-Executive Director of CSR plc, and Chair of the Remuneration Committee, from 2012 until its sale in 2015. Chris was also Chair of AIM listed CityFibre plc from January 2017 until June 2018, when it was sold to private equity buyers. Chris has also been Chair of Everynet B.V., a privately owned Internet of Things infrastructure business.
External appointments: Chris is currently Chair of AIM listed Idox plc.

Mike Maddison

Chief Executive Officer

Appointment to the Board: 7 July 2022
Career experience: Mike served as Head of EY’s Cyber Security, privacy and trusted technology practice for EMEA from 2017, achieving sustained growth across 97 countries and strengthening EY’s standing as a leading adviser in the field. Prior to this, he led PwC’s risk services practice in the Middle East, following a decade as Head of Deloitte’s EMEA Cyber Security consultancy, where he also delivered substantial growth.
External appointments: Mike does not currently have any external appointments.

Guy Ellis

Chief Financial Officer

Appointment to the Board: 30 June 2023
Career experience: Guy joined NCC Group in 2021, as Director of Commercial Finance as well as serving as Interim Managing Director of our Escode business, and most recently as Interim Managing Director of our UK Cyber Security business. Guy has over 25 years’ experience in finance and commercial roles in the retail sector for brands including Asda and Specsavers. This experience and the recent interim roles in NCC Group have given him a breadth of understanding of the commercial drivers and operations across the whole business.# External appointments

Guy does not currently have any external appointments.

NCC Group plc — Annual report and accounts for the year ended 30 September 2025

Committee key:
* A Member of Audit Committee
* C Member of CyberSecurity Committee
* N Member of Nomination Committee
* R Member of Remuneration Committee

| Committee Chair | Julie Chakraverty | Jennifer Duvalier | Mike Ettling * Senior Independent Non-Executive Director (and designated Non-Executive Director for workforce engagement)
* Jennifer Duvalier
* Independent Non-Executive Director
* Appointment to the Board: 1 January 2022
* Career experience: Julie has a wealth of plc board experience, formerly serving as a Non-Executive Director on the boards of Santander UK and Abrdn plc (formerly Standard Life Aberdeen plc, having been Senior Independent Director and Chair of the Risk and Innovation Committees for Aberdeen Asset Management plc prior to merging). She has also been Chair of the Remuneration Committee for the global insurer MS Amlin plc, a Non-Executive Director for Spirit Pub Company Limited and a Trustee for The Girls’ Day School Trust. During her executive career, Julie was a board member of UBS Investment Bank, where she held a number of global leadership positions and won industry awards for innovation every year from 2001–2009 for her “CreditDelta” technology product. Julie was also a Director and founder of Rungway Limited, an employee engagement platform used by leading global firms.
* External appointments: Julie is currently an Independent Non-Executive Director of easyJet plc, AJ Bell plc and Starling Bank Limited.
* Mike Ettling
* Independent Non-Executive Director
* Appointment to the Board: 25 April 2018
* Career experience: Jennifer was Executive Vice President of People at ARM Holdings plc, with responsibility for all people and internal communications activity globally, from September 2013 to March 2017.
* External appointments: Jennifer is currently the Senior Independent Director of Trainline plc (where she is also a member of the Audit and Risk, Nomination and Remuneration Committees) and an Independent Non-Executive Director and Chair of the Remuneration Committee of Mitie Group plc (as well as being a member of its Nomination Committee she is also the designated Non-Executive Director for colleague engagement at both companies). She is also a Non-Executive Director of The Cranemere Group Ltd and a Trustee of Somerset House (a UK-based charity), an adviser to New York Presbyterian hospitals group in the US, and an external adviser to the People and Remuneration Committee of the Wellcome Trust.
* Lynn Fordham
* Independent Non-Executive Director (and lead Non-Executive Director for Sustainability)
* Appointment to the Board: 22 September 2017
* Career experience: Mike has strong sector and non-executive experience. He has had an extensive career in global technology businesses including Unit4, SAP-Sucessfactors, NorthgateArinso, Unisys, Synstar and EDS and was formerly a Non-Executive Director of Backoffice Associates LLC, a US PE backed data business, and also formerly a Non-Executive Director of Telkom BCX Ltd, a South African IT and telecommunications business. Mike has also served as a Non-Executive Director with Topia Inc, a Silicon Valley cloud relocation software business. He has also served as a Non-Executive Director of Impellam plc, an AIM listed recruitment business.
* External appointments: Mike is currently an Operating Partner at Advent International and Chair of Syspro Ltd, and is also an Independent Non-Executive Director of Optima Health Plc.
* A C N R
* Appointment to the Board: 1 September 2022
* Career experience: Lynn, a Chartered Accountant, was most recently Managing Partner of private investment firm Larchpoint Capital LLP, a position she held from 2017 to 2021. Prior to joining Larchpoint, Lynn was CEO of SVG Capital for eight years, having previously served as CFO. Before that she held senior finance, risk and strategy positions at Barratt Developments, BAA, Boots, ED&F Man, BAT and Mobil Oil. She also served as a Non-Executive Director on the board of Fuller, Smith & Turner for seven years until 2018, chairing its Audit Committee. Lynn was also a supervisory board member of VARO Energy B.V.
* External appointments: Lynn is currently Chair and a member of the Nomination Committee of NewRiver REIT plc and Pollen Street Group Limited. She serves as a Non-Executive Director and Chair of the Finance, Risk and Audit Committees at Enfinium Group Limited (private). From 17 September 2025, Lynn is also a Special Adviser to the Board of Domino’s Pizza Group, having stepped down from the Board as the Senior Independent Director at the same date. Lynn additionally chairs RMA – The Royal Marines Charity.

Governance

NCC Group plc — Annual report and accounts for the year ended 30 September 2025

Board composition and division of responsibilities

The Board has agreed a clear division of responsibilities with the responsibilities of the Chair, Chief Executive Officer, Chief Financial Officer, Senior Independent Director and other Directors clearly defined so that no individual has unrestricted powers of decision and no small group of Directors can dominate the Board’s decision making.

| Role | Responsibilities # Board Audit Nomination Cyber Security Remuneration

	Audit	Nomination	Cyber Security	Remuneration
Chris Stone	8	9	1	N/A
Mike Maddison	9	9	N/A	N/A
Guy Ellis	9	9	N/A	N/A
Lynn Fordham	9	9	4	4
Julie Chakraverty	9	9	3	4
Jennifer Duvalier	9	9	N/A	1
Mike Ettling	9	9	4	4

At all times, all of the Board and Committee meetings remained quorate.

Meetings attended

Possible meetings

* Committee Chair

N/A Director is not required to attend the meeting, but may have attended by invitation.

1 Was unable to make one meeting due to an important personal matter that could not be rearranged.

2 Unable to make one Committee meeting because of a pre-existing business commitment (scheduled before NCC Group set its Board and Committee meeting dates) that could not be rearranged.

What principal decisions have been made and what have we looked at as a Board during 2024/25?

Section 172 statement

Section 172 of the Companies Act 2006 requires a director of a company to act in the way they consider, in good faith, would most likely promote the success of the company for the benefit of its members as a whole, but having regard to a range of factors set out in section 172(1)(a)–(f) of the Companies Act 2006. In discharging our section 172 duty, we have regard for these factors, taking them into consideration when decisions are made. The Board understands the importance of stakeholder engagement and, through regular updates from the Executive Directors and other senior managers, it has provided challenge and oversight throughout the year. The Company’s stakeholders are set out on pages 14 and 15, with an overview of how we engage with them, how they relate to our strategy and highlights from the previous year.

Principal decisions made during the year

Throughout this Annual Report, we have provided examples of how we have thought about the likely consequences of long-term decisions and detailed below is how the Board considered stakeholders, and the information we received through engagement, in a number of its key decisions in 2024/25. When making each decision, the Board carefully considered how it impacted on the success of the Group and its long-term (financial and non-financial) impact and had due regard to the other matters set out in section 172(1)(a)–(f) of the Companies Act 2006. The below should be read in conjunction with our Stakeholder Engagement section on pages 14 and 15, along with other sections of the Annual Report where appropriate.

| Topic | Stakeholder group | Decision taken | Engagement process # Governance

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 67

The Board has debated and considers that all of the current Non-Executive Directors are independent, and in so doing considered the profile of all of the individuals, concluding that none of them:
* Have ever been a colleague of the Group
* Have ever had a material business relationship with the Group or receive any remuneration other than their salary or fees
* Have close family ties with the advisers, other Directors or senior management of the Group that could reasonably be expected to cause a conflict
* Hold cross-directorships or have significant links with other Directors through involvement with other companies or bodies
* Represent a significant shareholder
* Have, at the point of this report, served on the Board for more than nine years from the date of their first election

The Non-Executive Directors provide a strong independent element on the Board and are well placed to constructively challenge and help develop proposals on strategy and succession planning. Between them, they bring an extensive and broad range of experience to the Group. Details of the Directors’ respective experience are set out in their biographical profiles on pages 62 and 63. The terms and conditions of appointment of Non-Executive Directors are available for inspection at the Company’s registered office during normal business hours.

Diversity

The principle of Board diversity (and indeed diversity across the Group) is strongly supported by the Board. It is the Board’s policy that appointments to the Board will always be based on merit so that the Board has the right balance of individuals in place. The Board recognises that diversity of thought, approach and experience are important considerations and it is therefore one of the selection criteria used to assess candidates prior to any Board appointments. The Company’s policy is to find, develop and maintain a diverse workforce at all levels with an initial focus on developing a culture where women can achieve and retain senior positions.

Annual re-election

In accordance with the Code, any Directors appointed in the financial year are subject to election by shareholders at the AGM and, in line with best practice, all the other Directors are subject to re-election annually.

Director induction, training and development

New Directors are provided with an induction on appointment, which would include visits to the Group’s operations and meetings with operational and executive management. Each Director’s induction is tailored to their experience and background with the aim of enhancing their understanding of the Group’s strategy, business, operating divisions, colleagues, customers, suppliers and advisers, and the role of the Board in setting the tone of our culture and governance standards. The Company acknowledges the importance of developing the skills of the Directors to run an effective Board. To assist in this, Directors are given the opportunity to attend relevant courses and seminars to acquire additional skills and experience to enhance their contribution to the ongoing progress of the Group. All of the Directors attend sessions which are aimed at updating the Board on trends and developments in corporate governance.

Board and Committee effectiveness review

As described earlier, this year we have not undertaken a formal review of the Board and its Committees. Building on our inaugural externally facilitated Board evaluation in 2023, we undertook a comprehensive internally facilitated Board and Committee evaluation in 2024, where we took significant time to discuss the output and agree actions in January 2025. We felt that we wanted further time to embed the actions from previous evaluations into how we operate and work together as a Board and felt that pausing the formal review process for a year was a sensible course of action. Our intention is for our next review to be externally facilitated and we will look to undertake this during the 2026 calendar year.

As a reminder, Board succession planning remains a priority, particularly as we look to ensure the Board and Executive Committee have the right set of skills and experience to support the Group as the business evolves. As a reminder, a number of observations and recommendations were noted from previous evaluations, which are detailed below.

| Area | Recommendation/observation # Governance

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 69

The ongoing success of the business and are of a significant nature to merit the Board having such a decision reserved to it. The Group also has a Group authority matrix (which documents the levels of authority delegated from the Board to various role holders within the Group). The schedule of matters reserved for decision by the Board and the Group authority matrix are complementary documents and are designed to ensure that decisions are either made by the Board or delegated to an appropriate senior colleague within the Group. As noted above, the operational management of the Group is delegated to the Executive Committee. The Board also delegates other matters to Board Committees and management as appropriate.

Risk management

The Board has ultimate responsibility for ensuring that business risks are effectively managed. The Board has delegated regular review of the risk management procedures to the Cyber Security Committee in relation to cyber risks, and to the Audit Committee in relation to all other risks. The Board reviews the overall risk environment on at least an annual basis. The day-to-day management of business risks is the responsibility of the Executive Committee (“ExCom”).

Internal control

The Group has a system of internal controls which aims to support the delivery of the Group’s strategy by managing the risk of failing to achieve business objectives and to protect the stewardship of the Group’s assets. As with all such systems, the goal is to manage risk within acceptable parameters, rather than to eliminate risk entirely. The Group can therefore only provide reasonable and not absolute assurance that the business objectives and asset stewardship will be delivered successfully. In addition, the Group insures against various risks, but certain risks remain difficult to insure, due to the breadth and cost of cover. In some cases, external insurance is not available at all, or at least not at an economically viable price. The Group regularly reviews both the type and amount of external insurance that it buys in conjunction with its insurance brokers. For a more detailed review of risk management processes, the principal risks faced by the Group and their mitigation, see pages 29 to 37.

The Audit Committee is responsible for reviewing the effectiveness of the risk management and internal control systems. The steps it takes in relation to the review are set out on page 74. The Audit Committee makes recommendations to the Board on the effectiveness of risk management and internal controls, which the Board considers, together with reports from the Cyber Security Committee, in forming its own view on the effectiveness of the risk management and internal control systems.

During the year ended 30 September 2025, the Board reviewed the effectiveness of the Group’s risk management and internal control systems together with internal control findings issued by our auditor. We confirm that the processes outlined above and on page 74 have been in place for the year under review and up to the date of this Annual Report and Accounts, and that these processes accord with the UK Corporate Governance Code and the FRC Guidance on Risk Management, Internal Control and Related Financial and Business Reporting. While we have had a number of improvements identified through our internal audit reports issued throughout the year, management has agreed the required actions and is working to close these down. We report on these regularly to the Audit Committee and are working with local management to continuously improve controls and processes across the business.

Executive remuneration

During the year, we operated within the Remuneration Policy approved by shareholders. Details of how the Remuneration Policy has been applied during this financial year are set out on pages 81 to 93 of the Remuneration Committee Report.

Shareholder engagement

Share capital structure

The Company’s issued share capital at 30 September 2025 consists of 315,006,079 ordinary shares of 1p each. There are no special control rights or restrictions on share transfer or special rights pertaining to any of the shares in issue and the Company does not have preference shares. As far as is reasonably known to the Board, the Company is not directly or indirectly owned or controlled by another company or by any government.

Board engagement with shareholders

Communications with shareholders are given high priority. There is a regular dialogue with institutional investors including presentations after the Company’s year end and half-year results announcements. A programme of meetings takes place throughout the year with major institutional shareholders, and private shareholders have the opportunity to meet the Board face to face and ask questions at the AGM. We are in regular contact with our large investors through a regular scheduled programme of meetings attended by either our CEO or CFO or both of them. Julie Chakraverty, our Senior Independent Director, and I are also available to meet with investors should the need arise. After meeting our larger investors, I feed back my findings to Board colleagues at the next Board meeting. In addition, our brokers undertake investor surveys on the back of our half and full-year results and the results of these were presented and discussed at Board meetings. Our aim is to engage with our shareholders in an open and meaningful way. During the financial year, the Directors held a number of meetings with shareholders as set out below.

Board shareholder updates
Feedback from major institutional shareholders is provided to the Board on a regular basis and, where appropriate, the Board takes steps to address their concerns and recommendations.
Investor meetings
One-to-one meetings	157
Group meetings	40

Substantial shareholdings

As at 30 September 2025, the Company had been notified of the following interests of 3% or more in the issued share capital of the Company under the UK Disclosure and Transparency Rules:

Shareholder	Number of ordinary shares	% of NCC Group’s total share capital
Aberforth Partners	40,057,799	12.72%
Richard Griffiths	32,671,106	10.37%
Odyssean Investment Trust	20,000,000	6.35%
BlackRock	18,312,987	5.81%
Vanguard Group	15,624,408	4.96%
Harwood Capital	15,362,500	4.88%
First Trust Advisors	15,299,695	4.86%
NFU Mutual	13,151,529	4.18%
Artemis Investment Management	10,888,638	3.46%
Kestrel Partners	9,932,261	3.15%
Canaccord Wealth (Inst)	9,750,000	3.10%
Schroder Investment Management	9,471,825	3.01%

There were no changes to the above notified to the Company between 30 September 2025 and 11 December 2025.

Directors’ shareholdings

For details of Directors’ shareholdings, remuneration and interests in the Company’s shares and options, together with information on service contracts, see pages 81 to 93 of the Directors’ Remuneration Report.

AGM

The AGM is an opportunity for shareholders to vote on certain aspects of Group business and provides a useful forum for one-to-one communication with private shareholders. At the AGM shareholders receive presentations on the Company’s performance and may ask questions of the Board. The Chair seeks to ensure that the Chairs of the Audit, Remuneration, Nomination and Cyber Security Committees are available at the meeting to answer questions and all Directors attend. The Company prepares separate resolutions on each substantially separate issue to be voted upon at the AGM. The result of the vote on each resolution is published on the Company’s website after the AGM and will be announced via the regulatory information service. At the 2025 AGM, shareholders representing over 65% of the Company’s issued share capital returned their proxy votes.

On behalf of the Board
Chris Stone
Non-Executive Chair
11 December 2025

NCC Group plc — Annual report and accounts for the year ended 30 September 202570

Audit Committee report

In April 2025, the role of the Director of Global Governance was extended to include Procurement and Estates. As a result, to ensure independence from operational functions, the role of Chief Audit Executive (CAE) transferred to the Head of Risk and Assurance. Attendance during the year of individual Audit Committee members is shown in the table on page 65.

Significant accounting areas and areas of significant management judgement or estimation uncertainty

The table below summarises the significant accounting issues, judgements and estimates considered by the Committee during the year in relation to the Financial Statements. These are categorised as either recurring items the Committee regularly reviews or current year focus areas. The table also indicates the level of judgement or estimation applied to each item. Items with a “low” judgement level typically have extensive independent third party evidence, while those requiring “high” judgement rely more on management estimates and historical trends than third party evidence.# Audit Committee Report

Review items

Accounting judgement?	Estimation required?	Goodwill carrying value	Discontinued operations and held-for-sale classification
N/A	High	N/A	Low

Significant issues considered during the year in relation to the Financial Statements

During the year, the Committee reviewed and considered the following areas in respect of financial reporting and the preparation of the interim and annual Financial Statements:

The appropriateness of the accounting policies used
Compliance with external and internal financial reporting standards and policies
Significant areas of management judgement or estimation
Assumptions and models used to determine fair value of all key business units for the Group’s annual impairment review
Assessed the quality of earnings by reviewing one-off, out of period or non-trading items arising over the year
Continued focus on the adherence to the Individually Significant Items (ISIs) accounting policy and presentation of ISIs
Accounting for the disposal of non-core operations (Fox Crypto) during the year
Accounting for the Group’s Escode business as discontinued operations and asset held for sale
Disclosure and presentation of GAAP and Alternative Performance Measures (APMs)
The effectiveness and changes to the financial control environment
Whether the Annual Report and Accounts, taken as a whole, is fair, balanced and understandable and provides the information necessary to assess the Group’s financial position, performance, business model and strategy
Revenue recognition on material contracts to the Group
Going Concern and Viability Statement considering the potential implications of the Group’s Escode Business as Discontinued operations and Held-for-Sale Classification and the ongoing Strategic Review of the Cyber Business

In carrying out this review the Committee challenged the significant estimates and judgements made by the Group’s finance team and considered the external auditor’s reports setting out its views on the accounting treatments and judgements included in the Financial Statements.

I am pleased to present the Audit Committee Report for the year ended 30 September 2025 to explain how we have discharged our responsibilities with an overview of our principal activities and their outcomes.

Committee membership, attendees’ access and objectives

I have been Chair of the Audit Committee since 1 September 2022 and I am a Chartered Accountant with diverse sector experience across listed companies, private equity and financial services in several disciplines including risk management, internal control and financial reporting. I am also currently Chair of NewRiver REIT plc and Pollen Street Group and Non-Executive Director of Enfinium Group. From 17 September 2025, I became a Special Adviser to the Board of Domino’s Pizza Group, having stepped down from the Board as the Senior Independent Director at the same date. The Board therefore considers that I have the recent and relevant financial experience required by the Code.

Mike Ettling, Julie Chakraverty and I all served on the Committee throughout the period. All members of the Committee are considered to be independent, and the Committee as a whole continues to have competence in the technology sector. Summary biographies of each member of the Committee are included on pages 62 and 63.

The purpose of the Audit Committee is to provide oversight of an organisation’s financial reporting, internal controls and compliance with laws and regulations, ensuring transparency and accountability in financial operations on behalf of the Board. The Committee also provides a forum for reporting by the external auditor. Cyber risk and controls are considered by the Cyber Security Committee. A full copy of the Committee’s terms of reference can be found in the Investor Relations section of the Group’s website.

Meeting frequency and attendance

The terms of reference for the Committee require at least three meetings per year. During this financial year, the Committee met four times. As well as the members of the Committee, standing invitations are given to the Company Chair, the other Independent Non-Executive Directors, the Chief Executive Officer, the Chief Financial Officer, the SVP, Group Finance and the SVP, Global Governance, Procurement and Estates, with other attendees also attending by invitation. The external auditor also attends each meeting. During the year, the Committee held meetings with the external auditor and the SVP, Global Governance, Procurement and Estates and the Head of Risk and Assurance without the Executive Directors and management being present.

Lynn Fordham
Chair, Audit Committee

Governance

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 71

Principal duties delegated to the Audit Committee

| Areas delegated to the Audit Committee | Committee responsibilities | Activities during the year # Fair value less costs to sell

In accordance with IAS 36, during the year ended 30 September 2025, tests for impairment are based on the calculation of a fair value less costs to sell (FVLCTS) which has been used to establish the recoverable amount of the CGU. The FVLCTS valuation of each standalone CGU has been calculated by determining sustainable earnings, which are based on Adjusted EBITDA ¹, and applying a reasonable market multiple on the calculated sustainable earnings. Estimated sustainable earnings have been determined taking into account past experience and includes expectations based on a market participant view of maintainable performance of the business based on market volatility and uncertainty as at 30 September 2025. The sustainable earnings input is a level 3 measurement; level 3 measurements are inputs which are normally unobservable to market participants. The sustainable earnings figures used in this calculation include key assumptions regarding sustainable revenues and costs for the business. If the assumptions and estimates used in this valuation prove to be incorrect, the carrying value of goodwill may be overstated. During this year, the Committee has reviewed the Group’s latest available forecasts, along with its ongoing execution of the new strategy and management’s future action plans, as part of its consideration of the utilised sustainable earnings figures.

The Group incurs certain overhead costs in respect of support services provided centrally to the CGUs. Such support services include Finance, Human Resources, Legal, Information Technology and additional central management support in respect of stewardship and governance. In calculating sustainable earnings these overhead costs have been allocated to the CGUs based on the extent to which each CGU has benefited from the services provided. This allocation is primarily based on the time spent by the relevant central department in supporting each CGU, informed by headcount or another reasonable proxy where available. Where possible, specific cost allocations have been applied. The methodology remains consistent with the prior period to ensure the allocation reflects the Group’s operating model.

The Adjusted EBITDA ¹ multiple used in the calculations is based on an independent third party assessment of the implied enterprise value (from a market participant perspective as at 30 September 2025) of each CGU based on a population of comparable companies and precedent transactions. The estimated cost to sell was based on other recent transactions that the Group has undertaken. The Committee reviewed the FVLCTS calculations, including the sustainable earnings assumptions and the applied multiple. This review considered independent third-party valuations as at 30 September 2025, which reflect a market participant view of business performance in light of prevailing market volatility and uncertainty.

Impairment conclusions

The Committee assessed the recoverable amount of each CGU using fair value less costs to sell as at 30 September 2025, after applying the methodology described above. The Committee concurred with management’s view that, in all cases, the recoverable amount exceeded the carrying amount and, accordingly, no impairment losses were recognised for the year ended 30 September 2025.

Sustainable earnings include a key assumption regarding the achievement of forecast revenue within each CGU assessment. The Committee reviewed the sensitivity analysis prepared by management, focusing on reasonably possible changes to this key revenue assumption. In particular, the Committee considered the impact of a 10% shortfall in forecast revenue (after factoring in controllable variable cost reductions and maintaining margins) and concurred with management’s view that, under this scenario, the recoverable amount of each CGU would continue to exceed its carrying amount, and no material impairment would arise.

Discontinued operations and held-for-sale classification (New item: see Note 16 to the Financial Statements)

Held-for-sale classification

Under IFRS 5, a disposal group is classified as held for sale when management is committed to a plan to sell, the asset is available for immediate sale in its present condition, the sale is highly probable and expected to complete within 12 months, and the disposal group is measured at the lower of its carrying amount and fair value less costs to sell.

During the year, the Group committed to a plan to dispose of its Escode business, which met the above criterion and has therefore been classified as held for sale as at 30 September 2025. Management determined the sale to be highly probable and expected to complete within 12 months. Accordingly, assets of £198.0m and associated liabilities of £39.8m relating to the Group’s Escode business have been presented as held for sale as at 30 September 2025. The Committee reviewed and concurred with management’s assessment of the held-for-sale classification, including the appropriateness of the measurement basis and related disclosures.

Discontinued operations

Under IFRS 5, a disposal Group is classified as a discontinued operation when:
* It is a component of the entity
* It has either been disposed of or is classified as held for sale
* It represents a separate major line of business or geographical area of operations, or is part of a single co-ordinated plan to dispose of such a component

Escode represents a major line of business within one of the Group’s two reportable segments, contributing 21.8% of Group revenue (2024: 20.3%) and 35.0% of Group gross profit (2024: 34.0%). Given Escode also met the criteria for classification as held for sale at 30 September 2025 (as described above), the Committee reviewed and concurred with management’s assessment that the requirements for discontinued operations were satisfied as at 30 September 2025, including the adequacy of all related disclosures.

¹ Adjusted EBITDA are Alternative Performance Measures (APMs) and not IFRS measures. See unaudited Appendix 1 and the Financial Review for an explanation of APMs and adjusting items, including a reconciliation to statutory information.

Governance

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 73

The Group’s approach to materiality

In considering the materiality of any individual issue or issues in aggregate, the Group looks at a range of qualitative and quantitative measures to assess whether omitting, misstating or obscuring information could reasonably be expected to influence decisions that the primary users of general-purpose Financial Statements make on the basis of those Financial Statements. The range of measures includes (but is not limited to) the primary Financial Statements themselves, the individual line item in question, and whether the issue moves the result from one side of an inflection point to another (for example, turning a profit into a loss or a net asset into a net liability). Qualitative and quantitative measures are both considered, as is any potential impact on remuneration or banking arrangements such as debt covenants.

Internal audit

The risk and assurance function is responsible for internal audit, and the provision of assurance in relation to financial, operational and quality systems and processes. The team is responsible for supporting the implementation of risk management across the business and monitors the implementation of related action plans. During the year, 19 internal audit reports were issued to the Audit Committee covering a range of risk areas including but not limited to key financial controls, backup controls, HR and payroll processes, including IR35, expenses and business cases.

The Audit Committee maintains an ongoing review of the risk and assurance function, which reports directly into the Chair of the Committee. The Committee is responsible for approving the content and coverage of the Internal Audit Plan, which documents the links to the Group’s strategic risks, key controls and associated assurance coverage. In addition, the risk and assurance team has a co-source arrangement as required for IT specialist audits and also utilises the cyber experts from within the business. The members of the risk and assurance team are all qualified in ACA, ACCA, CIMA, or hold the CIIA qualification. The Internal Audit Plan also includes time for the continual professional development of the team.

The work of the risk and assurance function is a regular standing agenda item at all Committee meetings where a full update is provided including updates on audit and assurance activities, progress against the Internal Audit Plan, and commentary and tracking of the implementation of agreed management actions to address deficiencies in an expedited manner. All internal audit reports are provided to the PwC external audit team and discussed during regular catch-up meetings. The Internal Audit Plan is reviewed to ensure continued relevance, or is adjusted to the current environment taking a risk-based approach.

In FY25, the risk and assurance team has carried out a gap analysis against the 2024 CIIA Standards and commissioned an external quality assessment which is required once every five years. The output will be shared with the Audit Committee in early FY26.

Internal controls and risk management

The Board is responsible for establishing, maintaining and monitoring the Group’s system of risk management and internal control and reviewing its effectiveness. The Committee monitors the performance of management in this area. We have an ongoing process for identifying, evaluating and managing the principal risks faced by the Group, which has been in place for the year under review and is deemed effective up to the date of approval of the Annual Report and Accounts.# Audit Committee report continued

NCC Group plc — Annual report and accounts for the year ended 30 September 202574

The Group’s non-Cyber Security risks are monitored by the Audit Committee on behalf of the Board, which sets aside time for an in-depth discussion of notable or changing risks to the business. A description of the process for managing risk, together with a description of the principal risks and strategies to manage those risks, is provided on pages 29 to 37. Cyber risks are reviewed by the Cyber Security Committee; the Cyber Security Committee Report can be found on pages 79 and 80.

Internal control systems are designed to meet the needs of the Group and the risks to which it is exposed. By their nature, however, internal control systems are designed to manage rather than eliminate the risk of failure and can provide only reasonable but not absolute assurance against material misstatement or loss. Key elements of the risk management and internal control system are described below.

Controls relating to financial reporting and preparation of the Annual Report and Accounts

Information provided to management covering financial performance and key performance indicators, including non-financial measures
A robust internal review process to ensure the integrity of the preparation of the Annual Report and Accounts
A detailed budgeting process where business units prepare plans for the coming year
Procedures for the approval of capital expenditure and investments and acquisitions
Monthly operational reviews to monitor and reforecast results as required against the annual operating plan, with major variances followed up and management action taken where appropriate
The Group finance manual

Other controls

Defined management structure and delegation of authority to Committees of the Board, subsidiary boards and associated business units
Regional governance committees have been established to provide management with ongoing oversight
Recruitment standards and compliance training to ensure the integrity and competence of staff
Annual economic crime, ethics, data protection, information security, health and safety, export controls, sexual harassment and climate change mandatory training for all colleagues
Clearly documented internal procedures set out in the Group’s ISO 9001-2015-accredited quality manual
Regular internal audits of key processes and procedures under the Group’s ISO 9001 and ISO 27001-accredited quality assurance process
Monitoring of any whistleblowing or fraud reports

The external auditor regularly reports its findings on those areas of internal control which it assesses as part of the external audit to the Board and the Audit Committee. Our internal control effectiveness is assessed through the performance of regular checks, which in the year ended 30 September 2025 included:

Assessment of the identification and management of risks connected to the Group’s strategy and management of strategic change
Reviewing and testing the Group’s financial reporting processes
Performing compliance monitoring activities for travel, expenses and health and safety
Assessment of the Group’s processes for identifying and mitigating potential conflicts of interest
Monitoring the completion of the Group’s mandatory compliance training

Following these regular checks, it was deemed that the controls were effective and the internal control systems are designed to meet the needs of the Group and its risks.

Compliance with the revised Corporate Governance Code is being reviewed with a dry run planned for FY26. This will be discussed with the Audit Committee and progress updates communicated throughout FY26.

Whistleblowing and confidential reporting procedures

The Group operates a confidential reporting and whistleblowing procedure (known as our “whistleblowing policy”). The policy aims to support the stewardship of the Group’s assets and the integrity of the Financial Statements as well as protecting colleague welfare. The procedure is reviewed annually by the Committee to ensure that it remains fit for purpose.

The Group has appointed an independent third party reporting agent to be the first point of contact for those who do not wish to use normal internal line management channels for reporting their concerns. This is advertised both internally, via colleague noticeboards and our intranet, and externally on the website. Colleagues are asked to undertake mandatory training on an annual basis including a reminder on the Code of Ethics policy and the whistleblowing helpline. The Committee reviews any whistleblowing or confidential reporting of concerns raised during the year with respect to their nature, scale and any associated or consequential risks.

Review of the Audit Committee’s effectiveness

For the reasons described in the Chair’s Introduction to Governance, no Board or Committee evaluation was carried out during the year.

External auditor appointment

The Committee is responsible for overseeing the relationship with the external auditor, including recommending to the Board their appointment, reappointment and removal, assessing their independence on an ongoing basis and approving the statutory audit fees. The Committee notes the publication in May 2023 of the FRC’s Audit Committees and the External Audit: Minimum Standard. In making these recommendations the Committee considers:

The experience, industry knowledge and expertise of the auditor
The scope and planning of the audit and any variations from the plan
The quality of the processes adopted
The auditor’s explanations of significant risks to audit quality by reference to the Company’s specific circumstances and changes to the risks
The fees charged
Its attitude to, and handling of, key audit judgements
Its ability to challenge and communicate effectively with management
The quality of the final report
The FRC’s Audit Quality Review report relating to the auditor
The appropriate and effective use of experts and specialists

PwC were appointed as the Group’s external auditors during the 16-month period ended 30 September 2024. The current audit engagement partner has now served for two periods.

The external audit

As part of the Board’s responsibility to ensure the integrity of the Company’s financial reporting and audit processes, the Audit Committee undertook a review of the effectiveness of the external audit. PwC is engaged to express an opinion on the Financial Statements. It reviews the data contained in the Financial Statements to the extent necessary to express its opinion. It discusses with management the reporting of results and the financial position of the Company and presents findings to the Committee. Where it makes recommendations in its report to the Committee, the Committee reviews them and agrees with management the manner and extent to which they should be implemented.

Each of the Directors in office at the date of this report is not aware of any relevant information that has not been made available to PwC and each Director has taken steps to be aware of all such information and to ensure it is available to PwC. PwC’s audit report is published on pages 99 to 103.

Auditor’s independence and objectivity

The Audit Committee confirms that the Company has complied with the provisions of the Statutory Audit Services for Large Companies Market Investigation Order 2014 during the financial year. The Committee received a formal statement of independence from the external auditor.

The Committee recognises the importance of ensuring that the independence and objectivity of the external auditor is not impaired through the provision of non-audit services. We have in place robust policies on the use of auditors for non-audit work. Additionally, the Audit Committee’s approval is also required for any fees for any non-audit work undertaken by the auditor.

During the year, the Group paid PwC £80,000 (2024: £80,000) for its review of the interim Financial Statements and £2,000 (2024: £2,000) for access to a generic online accounting manual (both of which are non-audit services). These represented 5.1% (2024: 4.9%) of the total audit fees. No other non-audit services were provided by the external auditor.

All significant pieces of non-audit work are put to informal tender to suitable parties that, if appropriate, can include the external auditor. Upon review as to suitability and price, the work will then be placed with the service provider recommended. If this is the external auditor, then Audit Committee approval is required. The external auditor was not engaged during the year to provide any services which may have given rise to a conflict of interest. The Committee is satisfied that the overall levels of audit and non-audit fees are not material relative to the income of the external auditor as a whole and therefore that the objectivity and independence of the external auditor were not compromised.

During the year, our external auditor received ad hoc Cyber Security services in the ordinary course of business, totalling £13,431 (2024: £151,861). The Committee is satisfied that this work is immaterial and provided on normal commercial terms to both the external auditor and the Company and therefore the objectivity and independence of the external auditor are not compromised.

External auditor’s effectiveness

Since its appointment, PwC has been fully engaged with both management and the Audit Committee to ensure a smooth and effective implementation of the audit. This has included:

Audit planning: PwC presented a detailed audit plan for the financial year ended 30 September 2025, which included its approach to significant areas of risk.
Independence: PwC has confirmed its independence in accordance with applicable regulations and has established rigorous controls to ensure this is maintained throughout its engagement.# Audit Committee report

• Engagement with management: Feedback from management indicates that PwC has adopted a thorough and collaborative approach to understanding the business’s operations, processes and risk areas. During the financial year, I attended regular meetings with PwC’s engagement partner without management being present. This provided the opportunity for open dialogue. The engagement partner demonstrated her understanding of the Group’s business risks and the consequential impact on the Financial Statements. The Audit Committee will continue to closely monitor PwC’s performance throughout the audit period and conduct a post-audit review to assess its effectiveness in delivering a high quality and independent audit. In line with the UK Corporate Governance Code, the Audit Committee will continue to monitor the effectiveness of the external audit process annually, ensuring that the Company’s auditor continues to meet the highest standards of independence, audit quality and service.

Governance NCC Group plc — Annual report and accounts for the year ended 30 September 2025 75

Fair, balanced and understandable

The following process was followed by the Committee in making its assessment:

Financial information
- Prepared by individual business units
- Consolidated by Group finance team
- Reviewed by SVP Group Finance and CFO
Narrative disclosures
- Prepared by Group finance team
- Reviewed by SVP Group Finance and CFO
- Various reports prepared by Committee Chairs, CEO and CFO
Independent reviewers
- Senior members of the Executive Committee, Global Leadership Team and/or other senior colleagues
- Those who have not been major contributors
Audit Committee Chair
- Review of detailed verification documents
- Review of findings and observations from independent reviewers
Financial information
Independent reviewers
Narrative disclosures
Audit Committee Chair

Refer to Note 29 for related party transactions during the year.

Fair, balanced and understandable

At the request of the Board, the Committee considered whether the 2025 Annual Report and Accounts, when taken as a whole, was fair, balanced and understandable (FBU) and whether it provided the necessary information for shareholders to assess NCC Group’s position and performance, business model and strategy. The reviews outlined in the diagram below include reviews of all material matters, as reported elsewhere in this Annual Report and Accounts, and reviews of the balance of good and bad news and ensure the Annual Report and Accounts correctly reflects:

The Group’s position and performance as described on pages 6 and 7 and 40 to 57
The Group’s business model as described on pages 8 and 9
The Group’s strategy as described on pages 12 and 13

The independent reviewers were not major contributors to the Annual Report and Accounts but, at the same time, as members of the Executive Committee or other senior colleagues, are deemed to be sufficiently well informed on the Group’s activities to be able to give appropriate feedback on the FBU criteria. They undertake a qualitative review of disclosures and internal consistency throughout the Annual Report and Accounts. The Directors’ statement on an FBU Annual Report and Accounts is set out on page 98.

Lynn Fordham
Chair, Audit Committee
11 December 2025

Nomination Committee report

for the Board to effectively support the Company’s strategy both in the immediate future and over several years. The Committee’s efforts in succession planning played a crucial role in recruitment activities over the years. In the forthcoming year, the Committee will continue to prioritise the establishment of suitable succession plans for various timeframes.

Diversity

Our objective is to have a broad range of skills, backgrounds, experiences and personal attributes within the Board as this ensures the Board is best placed to serve the Company. All appointments are made on merit and against objective criteria with due regard for the benefits of diversity on the Board, including gender identity, nationality and educational and professional background, as well as individual characteristics which will enhance diversity of thinking on the Board. NCC Group and the Committee value the aims and objectives of the FTSE Women Leaders Review (formerly the Hampton-Alexander Review on FTSE women leaders) and the Parker Review on ethnic diversity of UK boards and support and apply the Group’s diversity policy. The Committee is also mindful of the Group’s diversity policy when making appointments to the Board Committees (Audit, Cyber Security, Nomination and Remuneration), ensuring an appropriate range of backgrounds across Committee members to enhance quality decision making. The Group’s gender diversity statistics are set out on page 19.

At Board level, we currently have three females, one of whom is a person of colour; however, we note that diversity extends beyond the measurable statistics of gender and ethnicity. We continue to take diversity in its wider context into account, having regard to the diversity policy, and recommend only the most appropriate candidates for appointment to the Board.

During the year ended 31 May 2021, we made the firm commitment that by 2024, we would have at least 33% female representation on our Board and at least one person of colour. In 2022 we delivered on our commitment and we will also meet the FTSE Women Leaders Review target of 40% by the end of 2025. Although this is best practice for FTSE 350 companies, we have committed to this target regardless of which share index we are in. Our Board now has 43% female representation. We remain focused on ensuring diversity within our leadership population and will continue to address this during future Board and Executive Committee appointments. Improvements in diversity are often not a quick process; however, we are very mindful of the need to continue to take positive action, and the matter remains an ongoing priority on our agenda.

Accessing the candidates we require to reach this target will involve us looking beyond the obvious pool of existing board directors within the UK and we are committed to ensuring that we extend our talent search to other sectors and locations globally to ensure we find a diverse pool of candidates to provide us with true diversity of thought, culture and lived experience, around our Board table.

When a new Director is appointed, they receive a full, formal and tailored induction into the Company and discuss with the Chair to identify any immediate and longer-term training requirements. The Committee’s terms of reference can be found in the Investor Relations section of the Company’s website. The terms of reference are reviewed annually and updated when necessary.

Committee meetings

During this financial year, the Committee held one scheduled meeting. The attendance of individual Committee members at Nomination Committee meetings is shown in the table on page 65. The members of the Nomination Committee are Julie Chakraverty, Jennifer Duvalier and Lynn Fordham, along with me.

The Nomination Committee’s objectives and responsibilities

The Nomination Committee is responsible for reviewing the size, structure, balance, composition and progressive refreshing of the Board and its Committees and as such its duties include:

Reviewing the structure of the Board
Evaluating the balance of skills, knowledge, experience and diversity on the Board
Making recommendations for further recruitment to the Board or proposing changes to the existing structure of the Board, or individual Directors
Reviewing the leadership needs of the Company, both Executive and Non-Executive
Succession planning for Directors and other senior Executives within the business
Recruiting, appointing and exiting of Directors
Overseeing membership of, and succession to, the various Board Committees
Reviewing the time commitment required from the Non-Executive Directors on NCC Group business

The Chair of the Board leads the process for the appointment of new Non-Executive Directors to the Board and for the appointment of the Chief Executive Officer. The Chief Executive Officer, in conjunction with the Chair, leads the process for the Chief Financial Officer. The Senior Independent Director leads the process for a new Chair of the Board.

In relation to an appointment to the Board, the Committee draws up a specification and assesses the capabilities and experience required for such a role, taking into account the Board’s existing composition, including relevant experience and understanding of our stakeholder groups. We also assess the time commitment required. Candidates are sought by third party executive search consultants and, where appropriate, through the assessment of internal candidates and are then formally considered by the Nomination Committee. Extensive external referencing is also completed.

Board succession

The Committee is tasked with overseeing the succession planning process and providing recommendations to the Board.

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 76# Nomination Committee report

Activities during the year

During the year, the Committee:
* Evaluated the skills, knowledge and experience around the Board
* Reviewed the structure, size and composition of the Board
* Reviewed the Directors’ length of service
* Reviewed the diversity of the Board
* Reviewed the memberships of all Committees
* Reviewed the expected time commitment of the Chair and the Non-Executive Directors

During the year, the Nomination Committee has had an in-depth presentation from the Chief People Officer, focused on leadership, succession planning and talent management and development, informed by insights from our data analysis and the external environment. These presentations looked at the overall current position, and in particular senior succession, i.e. the Executive Committee and its direct reports.

Presentations and updates during the year

This year the Committee has had a number of presentations and updates on various colleague matters across the Group, including:
* Undertook a deep dive into Board composition and succession, inclusive of Chair succession
* Reviewed achievements over the previous year for the global people team and looked forward to priorities for the year ahead
* Reviewed our ongoing development of capability, with a particular focus on senior succession and talent
* Reviewed our approach to collecting colleague diversity data, with a focus on building colleague sentiment
* Considered the generational perspectives of colleagues within the Group and their diverse needs from an organisational and leadership perspective
* Received comprehensive colleague engagement briefings on survey results from the “MyVoice” survey (which utilises the Glint platform), along with the agreed next steps and future commitments in response to colleague feedback. Exit interview data and key themes were also presented to the Committee
* Reviewed both present and former colleague sentiment on Glassdoor and LinkedIn
* Explored our current global leadership KPIs and discussed opportunities for improvement

To support the ambition and our commitment to improving global diversity, we continue to focus on:

Processes

Removing barriers to entry and making our talent attraction and acquisition experience best in class, leading to a review of our selection methodology and a new framework being developed, to help level the playing field for under-represented communities, remove bias and create a robust and valid way of identifying and selecting talent
The ongoing review of our policies, processes and documentation to ensure all bias is removed (including adverts and job descriptions), and ensuring the use of inclusive language wherever possible

Culture

We continue to embed our behavioural framework into the business via our global, hiring, onboarding and manager capability programmes
We completed the rollout of our Enabling Performance Leadership programme to our Group leadership team (GLT)/extended leadership team (ELT) populations. We also delivered a series of other management development interventions to support leadership and manager capability
Our colleague resource groups have continued to meet regularly and there has been some investment with external partnerships and events. The intention is to continue to have an ExCom sponsor to provide support for our DEI colleague resource to make a positive change and build awareness, to foster inclusion, awareness and meaningful conversations while empowering colleagues to make positive change and cultivate an inclusive working environment
Moments that Matter continues to embed and evolve as a suite of supportive, people-focused policies designed around our colleagues and their needs

Colleague voice

Committed to an ongoing open dialogue with our colleagues, through our biannual engagement survey (“MyVoice”), colleague forums, live leadership “Ask Me Anything” sessions, Board engagement sessions with colleagues, our colleague resource groups, listening sessions and our whistleblowing lines which all play an active role in creating a great place to work (for further information, please see the Stakeholder Engagement section on pages 14 and 15)
We have a “Speak Up” framework which was launched globally the previous year to provide clear guidance and signposting to colleagues, covering the various routes to raise concerns, and the relevant policies to address these issues where required, as well as to share colleague feedback
NCC Diamonds, our annual colleague recognition programme, completed its fifth cycle. NCC Diamonds provides colleagues across the organisation with the opportunity to nominate individuals or teams for the incredible work they do, recognising the brilliance and accomplishments of their peers. Nominations are linked to our NCC Group values, followed by regional and global judging panels, with each category winner receiving a “money can’t buy” experience

Long term

We continue to develop our employer brand to broaden our attraction strategies to ensure we remain current and attractive in an extremely competitive global tech talent market
Building strategic partnerships with organisations to support our commitment to create an inclusive and diverse environment
Connecting the initiatives at every stage of colleagues’ lives and careers to create enriched career pathways and achieve the best return for investment with improved colleague retention. Initiatives include work experience, the Next Generation Talent programme, mentoring and CyberFirst bursaries and alumni programmes

Committee effectiveness

For the reasons described in the Chair’s Introduction to Governance, no Board or Committee evaluation was carried out during the year.

External search consultancies

During the year, no external search agencies were engaged.

Chris Stone
Chair, Nomination Committee
11 December 2025

Nomination Committee report continued

The Cyber Security Committee’s objectives and responsibilities

The Cyber Security Committee is responsible for assessing the performance of the Group’s internal security and defences and as such its duties are to:
* Oversee and advise the Board on the current cyber risk exposure of the Group and future cyber risk strategy
* Review at least annually the Group’s Cyber Security breach response and crisis management plan
* Review reports on any Cyber Security incidents and the adequacy of resulting actions
* Receive and consider the regular update reports from the DIS and GC and ensure the DIS and GC are given the right of direct access to the Committee
* Consider and recommend actions in respect of all cyber and data protection risk issues escalated to it
* Keep under review the effectiveness of the Group’s controls, services and products to analyse potential vulnerabilities that could be exploited
* Regularly assess what the Group’s most valuable intangible assets are and the most sensitive Group and customer information and assess whether the controls in place sufficiently protect those assets and information
* Review the Group’s ability to identify and manage new cyber risks
* Assess the adequacy of resources and funding for data protection and Cyber Security defence and control activities
* Regularly review the cyber and data protection risk posed by third parties including outsourced IT and other partners
* Oversee Cyber Security and data protection due diligence undertaken as part of an acquisition and advise the Board of the risk exposure
* Annually assess the adequacy of the Group’s cyber insurance cover

The Committee’s terms of reference can be found in the Investor Relations section of the Company’s website. The terms of reference are reviewed annually and updated when necessary.

The Cyber Security Committee was formed to focus specifically on the cyber and data protection risks faced by the Group. This reflects the significant threat posed by cyber risks, the nature of our business and the potential damage to the business as a high value target for malicious acts. The Committee’s activities aim to challenge and support improvements to the Group’s information security and data protection policies, defences and controls, so as to comply with global data protection regulations around the world, and ensure that the Group looks after its own information, and the information that its customers entrust to it, with the proper care and attention.

The Committee was formed in November 2016 and I have been Chair since July 2022. Jennifer Duvalier and Lynn Fordham (both Independent Non-Executive Directors) served as members of the Committee throughout the year. Chris Stone (Company Chair) is also a member of the Committee. The Group’s SVP, Global Governance, Estates and Procurement, the Director of Internal Security (DIS), and the Group General Counsel (also Head of Data Governance) (GC) are standing invitees of the Committee. The Executive Directors are invited to attend Committee meetings when the Committee considers it to be appropriate, as are the Data Protection and Governance Officers.

Julie Chakraverty
Chair, Cyber Security Committee

Committee effectiveness

For the reasons described in the Chair’s Introduction to Governance, no Board or Committee evaluation was carried out during the year.# Cyber Security Committee report

During the year the Committee, along with the Board, reaffirmed that Cyber Security and data protection are sufficiently important risks for the business and that the Committee should remain focused on this specific set of risks. Therefore, the current structure in which the responsibility for broader risk management remains with the Audit Committee will continue.

Committee activities during the year

The continuing focus, in terms of Cyber Security, was ensuring the risks to the Group remained well documented and the types of threats and attacks were well understood, building on a risk analysis which was performed during the year before to ensure cyber risks map to the enterprise risk architecture, and the work of the Global Technical Services (GTS) security team was tailored to the highest value areas. Training has been a critical area once again this year, with an increased emphasis on identifying phishing emails as this is an attack vector that is frequently observed. All colleagues now partake in monthly phishing exercises that cycle through difficulty levels to target different attacker sophistication, with educational assistance sent out post-exercise to help identify suspicious elements of an email that may indicate a phishing attack. Board training and updates on developments within Cyber Security are also provided regularly.

Turning to data protection, the regulatory landscape is continually evolving – this past year saw regulatory updates including the Data (Use and Access) Act 2025 (UK), the phased implementation of certain aspects of the European Union Artificial Intelligence Act (EU AI Act), and changes to Australia’s Privacy Act coming into effect, to name a few. The data protection and governance team, along with colleagues in the Group legal team, is working closely to stay abreast of such changes and support the business accordingly. The team has also continued to experience a number of Data Subject Rights Requests it receives as individuals become more aware of their rights under GDPR.

Noteworthy highlights since our previous report include:

All Rights Requests received this year have been fulfilled within legally compliant time periods.
Considerable work has gone into our public facing policies and notices. The transparency of information provided to the public and colleagues has significantly improved in line with best practice. This includes the candidate notice (which is available in English, Spanish and, in the coming weeks, Dutch) and sub-processor and third party processor information, amongst others.
The project to transfer our Records of Processing Activities into a unified system nears completion. Following last year’s work on the standard terms and conditions, further work has been done to strengthen the Group’s data protection position in client contracts through updates to the data processing agreements. Additionally, appendices have been drafted for each service line. This provides clarity to clients and ensures a tailored and commercial approach.

Committee meetings

During this financial year, although the Committee only met once, meetings were held in September 2024 and October 2025 in the weeks just preceding and following the financial year. The attendance of individual Committee members at the Cyber Security Committee meetings is shown in the table on page 65.

Julie Chakraverty
Chair, Cyber Security Committee
11 December 2025

Cyber Security Committee report continued
NCC Group plc — Annual report and accounts for the year ended 30 September 2025
80

Remuneration Committee report

Base salaries

During the year ended 30 September 2025, the Committee reviewed and benchmarked both the CEO’s and CFO’s salary. The Committee increased the CEO’s base salary by 2.5% taking Mike’s salary from £561,350 to £575,384, with effect from 1 June 2025, which was slightly lower than the increase for the wider workforce (circa 2.9%). After due deliberation, the Committee agreed to increase Guy Ellis’s base salary by 9.6% from £312,000 to £342,000 with effect from 1 June 2025. As a reminder, on appointment (in June 2023), Guy’s salary was set somewhat below the benchmark level (against similar sized peers operating in IT services and adjacent sectors). Since then, Guy has not just settled into the role but has exceeded expectations with positive engagement with shareholders and significant contribution to various initiatives. For these reasons we felt it was appropriate to award an above workforce rate increase. Alongside this increase, the Committee also increased Guy’s notice period from 6 to 12 months, recognising his contribution to the business and the need to retain him for the medium to long term.

For the forthcoming financial year, the Committee has taken the decision to increase Guy’s salary by a further 9.6% from £342,000 to £375,000, with effect from 1 October 2025. The Committee was very mindful that this increase follows shortly after the previous increase. However, since the departure of the CIO, Guy is now also responsible for the Global Technical Services (GTS) function. This is a significant change and step up in Guy’s scope of responsibilities for which the Committee wanted to ensure he was appropriately remunerated. It is anticipated at this stage that future increases for Guy will be aligned to those for the workforce.

Performance related pay – annual bonus

The annual bonus targets for the year ended 30 September 2025 for both the CEO and CFO were based on the satisfaction of stretching financial and strategic targets. The financial target of Group Adjusted operating profit for the year to 30 September 2025 had a weighting of 60%. Group Adjusted operating profit was £23.7m and this resulted in a payout of 24.8% of the 60%. The strategic objectives had a weighting of 40% and covered a number of areas supporting the pillars of the strategy, together with people and operational excellence objectives. The Committee determined that the strategic element should pay out at 36.5% for the CEO, and 40% for the CFO. Further detail on performance against strategic objectives is provided later in the report. This resulted in a total bonus for the year of 61.3% for the CEO and 64.8% for the CFO of maximum resulting in a bonus payout of £433,719 for the CEO and £260,820 for the CFO. For both the CEO and CFO, 35% of the aggregate bonus in excess of £50,000 earned over the year to 30 September 2025 will be deferred into shares and will vest after two years. Clawback and malus provisions are also in place for the bonus. The Committee considered whether it should exercise any discretion to the bonus outcomes. The Committee concluded that the aggregate outcomes from the financial and the strategic, non-financial elements were a fair reflection of the performance in the relevant areas, and the Committee therefore decided not to exercise any discretion.

For 2025/26, the Committee has considered the weighting of metrics in the annual bonus. The Committee concluded that the weighting on the Group Adjusted operating profit should be maintained at 60% of maximum, to continue to give appropriate emphasis to this metric. The remaining 40% will apply to key strategic metrics, with stretching targets. These will include targets linked to the pillars of the strategy, together with people and operational excellence objectives. These will be fully disclosed in the Remuneration Report for 2025/26.

On behalf of your Board, I am pleased to present our Directors’ Remuneration Report (DRR) for the year ended 30 September 2025. The report is divided into three sections: the Remuneration Committee Chair’s Statement, a brief summary of the shareholder approved Directors’ Remuneration Policy for the period 2025–2028, and the Annual Report on Remuneration for FY25. At the AGM in January 2025, 80.33% of shareholders voted in favour of the Directors’ Remuneration Report and 89.61% of shareholders voted in favour of the Directors’ Remuneration Policy, and I would like to thank shareholders for their continuing support on both these areas.

Annual statement

The Committee comprised Julie Chakraverty, Lynn Fordham and me as Chair. Our Board Chair, Chris Stone, also attended all meetings. Our remuneration consultants, Chief People Officer, Director of Reward and Benefits, CEO and other Executives, including the SVP, Group Finance, were invited to meetings as required, although we always ensure that we have time without Executives present, and no Executive was present when decisions relating to their own reward were made. The Committee closely monitors shareholder guidance and feedback on remuneration. Shareholder voting on AGM remuneration resolutions is reviewed annually, shareholders are consulted when changes to policy are being considered and major shareholders have the opportunity to provide annual feedback to the Board and Remuneration Committee on NCC Group’s remuneration approach at annual engagement meetings.

Remuneration Policy and changes

Throughout the year ended 30 September 2025, we operated both within the Remuneration Policy that was approved by shareholders at the AGM in November 2021 (until 28 January 2025), and then the Remuneration Policy that was approved by shareholders at the AGM in January 2025 (from 28 January 2025). The main changes to our Remuneration Policy were summarised within the 2024 Remuneration Report, along with information as to how we dealt with our change in year end from 31 May to 30 September, and how we dealt with a longer 16 month accounting period to 30 September 2024.

Jennifer Duvalier
Chair, Remuneration Committee

Governance
NCC Group plc — Annual report and accounts for the year ended 30 September 2025
81

Annual statement continued

Performance related pay – LTIP

During the year ended 30 September 2025, no LTIP awards were made to either the CEO or CFO.# Remuneration Committee report continued

NCC Group plc — Annual report and accounts for the year ended 30 September 2025

Remuneration at a glance

The Directors’ Remuneration Policy was approved by shareholders at the AGM on 28 January 2025 and our approach to implementing this for our Executive Directors can be found below:

Element	Approach	Approach for FY25	Approach for FY26
Salary	Reviewed annually taking into account Group and personal performance. Increases are normally in line with the wider workforce but also take into account other factors such as changes to responsibility, development and complexity of the role.	Salaries from 1 October 2024: • Mike Maddison (CEO) – £561,350 • Guy Ellis (CFO) – £312,000 until 1 June 2025, £342,000 from 1 June 2025	Salaries from 1 October 2025: • Mike Maddison (CEO) – £575,384 • Guy Ellis (CFO) – £375,000
Benefits	Benefits principally include private medical insurance, income protection and life assurance.	As per the policy. No change for FY26.
Pension	Pensions for FY25 were in line with the maximum employer contribution available to the majority of the workforce.	Pensions in line with the workforce rate of 4.5% of salary. No change for FY26.
Annual bonus	Maximum annual bonus of 125% of salary. 35% of any bonus payment in excess of £50,000 is normally deferred into shares or nominal cost share options which vest after a two year period. Malus and clawback provisions apply.	Maximum annual bonus of 125% of salary. Performance measures: • 60% Adjusted operating profit • 40% strategic objectives	No change for FY26.
Long Term Incentive Plan	Maximum annual award levels: • Mike Maddison (CEO) – 175% of base salary • Guy Ellis (CFO) – 150% of base salary Awards have a performance period of at least three years and are normally subject to a further holding period of two years. Malus and clawback provisions apply.	For FY25, neither of the Executive Directors were granted awards. LTIP awards are expected to be made in December 2025/ January 2026 during the financial year ending 30 September 2026, which will be for performance period 1 October 2025 to 30 September 2028.
Shareholding requirement	200% of salary. Post-cessation shareholding guidelines of 200% of salary for year one and 100% of salary for year two after stepping down as an Executive Director.	As per the policy. No change for FY26.

FY25 annual bonus outcome

Performance measure	Threshold (20%)	Target (40%)	Maximum (60%)	Actual	Weighting	Outcome achieved
Adjusted operating profit	£23.1m	£25.6m	£ 29.1m	£23.7m	60%	24.8%
Strategic	Strategic	Strategic	Strategic	Strategic (see page 86)	40%	CEO – 36.5% CFO – 40.0%
Total					100%	CEO – 61.3% CFO – 64.8%

2022 LTIP award outcomes

Performance measure	Threshold (15% vesting)	Target (50% vesting)	Maximum (100% vesting)	Actual	Weighting	Outcome achieved
Adjusted EPS growth	6%	N/A	18%	(31%)	60%	0%
Cash conversion	80%	85%	90%	92%	20%	20%
TSR Median	N/A	Upper quartile	Lower quartile		20%	0%
Total					100%	20%

NCC Group plc — Annual report and accounts for the year ended 30 September 2025

Annual Report on Remuneration

This part of the report has been prepared in accordance with Part 3 of The Large and Medium-sized Companies and Groups (Accounts and Reports) (Amendment) Regulations 2013 as amended and 9.8.8R of the Listing Rules. The following report will be subject to an advisory shareholder vote at the AGM, which is scheduled to be held on 3 March 2026. The information on pages 81 to 93 has been audited where indicated.

How the Remuneration Policy has been implemented in the year ended 30 September 2025

This section sets out how the Remuneration Policy was implemented in 2024/25. The key implementation decisions during the year related to:

Review of salaries for the Executive Directors
The determination of bonus outcomes for the 2024/25 performance period
The performance outcome of the 2022–2025 LTIP

Further detail on these decisions, together with other information on payments made to Directors, is set out in the following sections.

Single total figure of remuneration (audited)

The detailed emoluments received by the Executive and Non-Executive Directors for the year ended 30 September 2025 are below. For ease of comparison, a 12 month period to 30 September 2024 has also been shown (these figures are, however, unaudited, with the audited figures being the 16 month period to 30 September 2024).

As reported in the 2024 Directors’ Remuneration Report, for the LTIP awards made in June 2024, the Committee proposed an uplift to the award opportunity for all long-term incentive participants of four months to allow for a smoother transition between LTIP grants given the change to the accounting reference date. In the future, awards will be granted in January with the performance period starting on 1 October. Our next cycle of LTIP awards is scheduled to take place in either December 2025 or January 2026. The performance period for these LTIP awards will be 1 October 2025 to 30 September 2028.

The 2022 LTIP (in which only the CEO participated) vested at 20% of maximum. This was based on the cash conversion element (weighting 20%) being achieved in full, but with below-threshold achievement of the EPS growth and TSR metrics. The Committee considered whether any downward discretion should be applied to the overall vesting outcome. It concluded that it remained important to recognise and continue to incentivise strong levels of cash conversion and that it would not be appropriate to apply discretion to the payment outcome given the relatively low weighting on this element. The Committee also considered NCC Group’s underlying performance and the experience of both our shareholders and wider workforce.

Non-Executive Director and Chair’s fees

In accordance with our Remuneration Policy, the fees for Non-Executive Directors were reviewed by the Company Chair, CEO and CFO, based on data provided by our remuneration consultants. After careful consideration, it was determined that these would be increased by 5% during 2024/25 with the increases being effective 1 October 2024. This was against benchmarked data and the fact that Non-Executive Directors had not had any increases to base fees since 1 June 2022.The base fee was increased from £51,500 to £54,000.

The Remuneration Committee also conducted a review of the fees for the Board Chair, utilising data provided by our remuneration consultants. After careful consideration, it was determined that these would be increased by 5% during 2024/25 with the increases being effective 1 October 2024. This was against benchmarked data and the fact that the Chair fee had not had any increases since 1 June 2022. The base fee was increased from £154,500 to £162,225. In addition, in December 2025 the Committee increased the Chair’s base fee by 2.5% taking Chris’s fee from £162,225 to £166,280, with effect from 1 October 2025, which was slightly lower than the increase for the wider workforce (circa 2.9%).

Details of these fees and allowances are given in the Annual Report on Remuneration on page 92

Grants of shares under a below-Board Restricted Share Plan to broaden colleague share ownership

We remain committed to broadening share ownership throughout the Group, both as a reward and a retention tool. During the year, we made further grants to over 170 colleagues under our Restricted Share Plan (RSP) in January 2025, and in July 2025 made an inaugural grant to all colleagues, around 120, in the Philippines who had passed their probation period. In addition, we also offered colleagues the opportunity to participate in our Save As You Earn/stock purchase share plans in the UK, the US, Canada, the Netherlands, Australia, Spain and (for the first time) the Philippines. Once again, these proved popular with high take-up levels. The Group also continues to operate and actively promote the Share Incentive Plan (SIP) for UK-based colleagues, further increasing our commitment to cost effective colleague share ownership.

Colleague engagement

There are a number of existing channels of communication with colleagues with regard to NCC Group’s remuneration policies and executive remuneration. Our engagement survey enables colleagues to provide feedback confidentially on many employment issues, including remuneration. Our designated NED for workforce engagement also held a number of colleague engagement sessions during the year in which colleagues were invited to provide feedback and comments on any issue, including executive remuneration and broader remuneration policies. In particular, a question and answer discussion is always held on executive remuneration and how this aligns with the wider Company pay policy. Our designated NED also reminds colleagues where the information can be located and answers any questions as they arise. The Committee also receives regular feedback from the Chief People Officer and the Director of Reward and Benefits on how colleagues perceive our remuneration policies and practices in the context of recruitment, retention and motivation. This information is used by the Committee in its monitoring and development of remuneration policies.

Conclusion

The 2025 Directors’ Remuneration Report will be put to the usual annual advisory vote at the AGM on 3 March 2026. The Committee is committed to engagement and transparency and I welcome the opportunity for discussion of the Group’s remuneration with shareholders, at our AGM or at any other time during the year, and look forward to your continuing support.

Jennifer Duvalier
Chair, Remuneration Committee
11 December 2025## Remuneration Committee report continued

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 84

Director	Period ended	Salary/ Non-Executive Director fees £000	Benefits £000	Pension benefits £000	Total fixed pay £000	Annual bonus £000	Long-term incentive £000	Total variable pay £000	Total £000
Chris Stone	30 Sept 2025	171	—	—	171	—	—	—	171
	12 months to 30 Sept 2024	163	—	—	163	—	—	—	163
	16 months to 30 Sept 2024	217	—	—	217	—	—	—	217
Mike Maddison	30 Sept 2025	566	7	26	599	434	127	561	1,160
	12 months to 30 Sept 2024	550	7	24	581	582	—	582	1,163
	16 months to 30 Sept 2024	710	14	32	756	757	—	757	1,513
Guy Ellis 8	30 Sept 2025	322	6	14	342	261	—	261	603
	12 months to 30 Sept 2024	304	6	14	324	301	—	301	625
	16 months to 30 Sept 2024	379	8	17	404	380	—	380	784
Julie Chakraverty 6	30 Sept 2025	88	—	—	88	—	—	—	88
	12 months to 30 Sept 2024	85	—	—	85	—	—	—	85
	16 months to 30 Sept 2024	114	—	—	114	—	—	—	114
Jennifer Duvalier	30 Sept 2025	70	—	—	70	—	—	—	70
	12 months to 30 Sept 2024	67	—	—	67	—	—	—	67
	16 months to 30 Sept 2024	90	—	—	90	—	—	—	90
Lynn Fordham 7	30 Sept 2025	70	—	—	70	—	—	—	70
	12 months to 30 Sept 2024	67	—	—	67	—	—	—	67
	16 months to 30 Sept 2024	90	—	—	90	—	—	—	90
Mike Ettling	30 Sept 2025	59	—	—	59	—	—	—	59
	12 months to 30 Sept 2024	56	—	—	56	—	—	—	56
	16 months to 30 Sept 2024	75	—	—	75	—	—	—	75
Tim Kowalski	30 Sept 2025	—	—	—	—	—	—	—	—
	12 months to 30 Sept 2024	—	—	—	—	—	—	—	—
	16 months to 30 Sept 2024	28	2	1	31	—	—	—	31
Chris Batterham	30 Sept 2025	—	—	—	—	—	—	—	—
	12 months to 30 Sept 2024	—	—	—	—	—	—	—	—
	16 months to 30 Sept 2024	28	—	—	28	—	—	—	28
Total	30 Sept 2025	1,346	13	40	1,399	695	127	822	2,221
	12 months to 30 Sept 2024	1,292	13	38	1,343	883	—	883	2,226
	16 months to 30 Sept 2024	1,731	24	50	1,805	1,137	—	1,137	2,942

1 The Chair and Non-Executive Directors each receive an allowance paid as part of their base fees of £8,200 and £4,750 respectively, to cover all travel and expenses related to their roles on the Board.
2 Benefits currently include the provision to every Executive Director of private medical insurance, income protection and life assurance. Benefits also include the discount to market value (plus savings bonus) of the SAYE option granted to Guy Ellis during the financial year.
3 Executive Directors are entitled to a Company pension contribution, which is paid into the Group defined contribution personal pension scheme. They can also opt to have the same level of contribution made in the form of a cash contribution.
4 Annual bonus payments for performance in the relevant financial year – 35% of this bonus above £50,000 is deferred into nominal cost share options for two years. Dividend equivalents accrue on these shares. Awards are subject to service conditions but there are no further performance conditions.
5 Long-term incentive awards vesting under the LTIP – 87,281 shares vested to Mike Maddison with respect to the LTIP granted in 2022 which had a performance period ending on 30 September 2025. These have been valued using a share price of £1.45, which is the three month average share price over July, August and September 2025. These shares were awarded based on a share price of £2.005 on the day before the date of grant. As a result, the change in share price since the date of grant has resulted in an loss in value of £48,441. Guy Ellis did not have any LTIP awards vesting during the year to 30 September 2025. The awards made to Tim Kowalski are covered within payments to former Directors.
6 Julie Chakraverty joined the Board on 1 January 2022 and took over from Jennifer Duvalier as the designated Non-Executive Director for workforce engagement on behalf of the Board. On 1 July 2022, Julie took over from Chris Stone as Chair of the Cyber Security Committee, and on 1 February 2023 she took over from Chris Batterham as the Senior Independent Director.
7 Lynn Fordham was appointed to the Board on 1 September 2022 and became Chair of the Audit Committee on 1 February 2023.
8 Guy Ellis was appointed CFO on 30 June 2023.

Additional information in respect of the single total figure of remuneration

Pension and benefits

The CEO’s and CFO’s pension provisions are in line with the level of the wider workforce, which is currently 4.5% of salary. These are either paid as pension contributions, or cash in lieu of pension.

Annual bonus (audited)

2024/25 annual bonus (audited)

For the year ended 30 September 2025, the maximum annual bonus opportunity for Mike Maddison and Guy Ellis was 125% of salary. For the 12 months ended 30 September 2025, bonuses of 61.3% for the CEO and 64.8% for the CFO of maximum were payable, being £433,719 and £260,820 respectively for Mike Maddison and Guy Ellis. In accordance with the Remuneration Policy, 35% of each payment (above £50,000) will be deferred into nominal cost share options for two years (these shares are subject to service conditions but there are no further performance conditions), with the remaining 65% paid in cash in December 2025. The performance measures and targets are set out below.

Financial targets – up to 60% of the annual bonus for the financial year to 30 September 2025 (audited)	Threshold (20%)	Target (40%)	Max. (60%)	Actual Weighting Outturn	Weighting	Outturn
Performance targets
Mike Maddison
Adjusted operating profit 1 , target for CEO and CFO £	23.1m	£25.6m	£ 29.1m	£23.7m	60%	24.8%
Guy Ellis
Adjusted operating profit 1 , target for CEO and CFO £	23.1m	£25.6m	£ 29.1m	£23.7m	60%	24.8%
Strategic
The strategic targets were set individually for the Executive Directors based on key strategic objectives for the year in their area of responsibility – see below.					40%	36.5%
Total payout (% of bonus)					100%	61.3%
Bonus opportunity £	707,535
Total bonus for the year to 30 September 2025 £				433,719		260,820
Amount paid in cash (65%) £				299,417		187,033
Amount deferred in shares (35%) £				134,302		73,787

1 Adjusted operating profit – previous measure is an Alternative Performance Measure (APM) and not an IFRS measure. (See Note 3 for an explanation of APMs and adjusting items.)

Governance NCC Group plc — Annual report and accounts for the year ended 30 September 2025 85

Annual Report on Remuneration continued

Additional information in respect of the single total figure of remuneration continued

Annual bonus (audited) continued

Strategic targets – up to 40% of the annual bonus for the financial year to 30 September 2025 (audited)

The table below highlights the key strategic targets and achievements for each Executive Director. Bonus target ranges have been disclosed to the extent possible, but the achievement of some areas is determined by the Committee based on its judgement of performance.

Bonus target ranges have been disclosed to the extent possible, but the achievement of some areas is determined by the Committee based on its judgement of performance.	Year ended 30 September 2025
	Target and performance conditions
CEO targets
Our clients Ensure that the organisation is better equipped to grow sales in key areas of focus.	10%
Our capabilities Improve NCC Group’s revenue trajectory in agreed investment areas of our four cyber capabilities.	7.5%
Global delivery Ensure the successful rollout of Kantata and effective use of our global resources.	7.5%
Differentiated brands Build profile (top of the funnel) to drive greater demand within key markets. Drive demand within key markets to build pipeline.	5%
People and operational excellence Simplify business operations and structure, globalise processes, and reduce costs. Set up and operate during FY25 regional operating and governance/compliance boards in all regions. Demonstrate a commitment to improving engagement across the business by taking action on opportunities identified through Glint surveys. Focus on developing a client-focused culture, driving service excellence.	5%
Insight, innovation and intelligence Develop innovative services that capitalise on advances in AI, data sharing and/or automation, to build reputation, grow thought leadership and research activity and improve revenue growth and profitability.	5%
CEO outcome
CFO targets
Our clients Ensure that we are selling and delivering work that drives improved margins.	5%
Global delivery Ensure the successful rollout of Kantata and effective use of our global resources.	7.5%
People and operational excellence Simplify business operations and structure, globalise processes, and reduce costs. Set up and operate during FY25 regional operating and governance/compliance boards in all regions. Demonstrate a commitment to improving engagement across the business by taking action on opportunities identified through Glint surveys. Focus on developing a client-focused culture, driving service excellence.	27. 5%
CFO outcome

Long Term Incentive Plan (LTIP) vesting (audited)

The LTIP awards made in October 2022 (with a performance period of 1 June 2022 to 30 September 2025) will vest in December 2025. Mike Maddison was a beneficiary of these and achieved a vesting of 20% of the award of 436,408 shares, being 87,281 shares.

Remuneration Committee report continued NCC Group plc — Annual report and accounts for the year ended 30 September 2025 86# Executive Number of LTIP awards

Executive	Number of LTIP awards	Basis	Performance period
Mike Maddison	436,408	175% of base salary	1 June 2022 to 30 September 2025

The performance conditions for these awards are set out below:

Weighting	Component	Metric	Threshold (15% vesting)	Maximum (100% vesting)	Actual performance	Actual % vested	Vesting basis
60%	Adjusted basic EPS – previous measure 2,3	CAGR growth over a three-year period	6%	18%	(31%)	0%	Straight line between threshold and maximum
20%	Cash conversion – previous measure 2,4	Average cash conversion ratio – previous measure over a three year period	80%	90%	92%	20%	Straight line between threshold and target, then target and maximum
20%	TSR	TSR over three years vs FTSE 250 comparator group (excluding investment trusts)	Median	Upper quartile	Lower quartile	0%	Straight line between threshold and maximum
Total

Long-term incentives granted during the financial year to 30 September 2025 (audited)

During the financial year to 30 September 2025, neither of the Executive Directors were granted awards.

SAYE options granted in the year ended 30 September 2025 (audited)

The Group operates an HMRC-approved SAYE scheme. All eligible colleagues, including Executive Directors, may be invited to participate on similar terms for a fixed period of three years. During the year, Guy Ellis joined the 2025 SAYE scheme (which will mature on 1 September 2028) and has options over 9,668 shares with an option price of £1.1387. No awards vested this year for either Executive Director.

Payments for loss of office and to past Directors (audited)

No payments were made for loss of office during the year. Tim Kowalski stepped down as CFO on 30 June 2023. The LTIP awards made in October 2022 (with a performance period of 1 June 2022–30 September 2025) will vest in December 2025. Tim Kowalski was a beneficiary of these and achieved a vesting of 20% of the award of 97,951 shares, being 19,590 shares (the original number of shares granted was 248,857 shares which was pro-rated for service). These awards are subject to the post-employment shareholding guideline.

Directors’ interests in shares (audited)

The tables below set out details of the Executive Directors’ outstanding share awards, which will vest in future years subject to performance conditions and/or continued service.

Summary of maximum LTIP awards outstanding

	Total LTIP options held at 30 September 2024¹	Granted during the year	Exercised during the year	Share price on date of exercise	Lapsed during the year	Total LTIP options held at 30 September 2025¹
Mike Maddison	2,399,730	—	—	N/A	349,127	2,050,603
Guy Ellis	845,639	—	—	N/A	—	845,639

¹ Includes only unvested and unexercised LTIP options.
² Adjusted basic EPS – previous measure ³ , cash conversion – previous measure ⁴ , and cash conversion ratio – previous measure are Alternative Performance Measures (APMs) and not IFRS measures. See Appendix 1 and Financial Review for an explanation of APMs and adjusting items.
³ Adjusted basic EPS – previous measure is statutory basic EPS before share-based payments, amortisation of acquired intangibles and Individually Significant Items and the tax effect thereon.
⁴ Cash conversion – previous measure ratio percentage of net cash flow from operating activities before interest and tax divided by Adjusted EBITDA – previous measure.

All awards granted under the LTIP are subject to continued employment and the satisfaction of the performance conditions as set out above. The awards were all nil-cost options.

Share ownership (audited)

The beneficial and non-beneficial interests of the current Directors in the share capital of NCC Group plc at 30 September 2025 are set out below. (Details of Executive Director shareholding requirements and achievement against these are set out below.)

	Beneficial interests in ordinary shares¹	Nil-cost options subject to performance²	SAYE options³	Deferred bonus nil-cost options⁴	Vested but unexercised nil-cost options	Total
	30 Sept 2025	30 Sept 2024	30 Sept 2025	30 Sept 2024	30 Sept 2025	30 Sept 2024
Chris Stone	756,195	712,843	—	—	—	—
Mike Maddison	171,707	148,063	1,963,322	2,399,730	18,699	18,699
Guy Ellis	1,602	3,533	845,639	845,639	9,668	—
Julie Chakraverty	63,914	63,914	—	—	—	—
Jennifer Duvalier	19,115	19,115	—	—	—	—
Mike Ettling	50,000	50,000	—	—	—	—
Lynn Fordham	50,000	50,000	—	—	—	—

¹ This information includes holdings of any connected persons.
² These awards represent the outstanding LTIP interests, included in the table above, which are due to vest after 30 September 2025.
³ Representative SAYE scheme interests, which will vest after the end of the three year savings period in 2027, or 2028.
⁴ Nominal cost share options granted under the deferred bonus plans, subject to a service condition, tax and National Insurance (for Guy Ellis, awards made under the Restricted Share Plan of 9,450 shares made prior to his promotion to CFO are also included in this figure).

During the year, awards were made under the Deferred Annual Bonus Schemes to the CEO and CFO of 59,493 shares and 33,066 shares respectively, which had a face value of £81,864 and £45,500 respectively.

Following the year ended 30 September 2025, the following Directors dealt shares under the colleague HMRC approved UK Share Incentive Plan. The number of shares traded are shown below:

On 17 October 2025, Mike Maddison and Guy Ellis purchased 113 and 56 shares respectively at £1.4527.
On 17 November 2025, Mike Maddison and Guy Ellis purchased 114 and 57 shares respectively at £1.4487.

Shareholding requirements (audited)

The Executive Directors are expected to build and retain a shareholding in the Group equivalent to at least 200% of base salary. Executives will normally be required to retain all vested deferred bonus shares and LTIP shares released from the holding period, until they have attained the minimum shareholding requirement and, even then, only when they have held vested LTIP shares for a minimum period of two years. Executive Directors will also be required to retain all shares vesting from SAYE schemes. For the avoidance of doubt, Executive Directors are permitted to sell sufficient shares in order to meet any tax obligation arising from vesting shares. The table below sets out the Executive Directors’ shareholding requirements and achievement against these. The percentages within this table have been calculated using a three month average share price (1 July 2025 to 30 September 2025) of £1.45, and include all unvested deferred bonus plans on a net of tax and National Insurance basis.

	Shareholding requirements (% of salary)	Shareholding as at 30 September 2025 (% of salary)	Requirement met
Mike Maddison	200%	69%	No
Guy Ellis	200%	21%	No

Relative importance of the spend on pay

The table below presents the percentage change in total colleague remuneration relative to total dividends (interim and final) for the current and prior financial periods.

	12 month financial year to 30 September 2025 £m	16 month financial period to 30 September 2024 £m	% change
Colleague remuneration costs¹	203.3	283.6	(28.3%)
Dividends for the period	14.5	24.3	(40.3%)

¹ Based on the figure shown in Note 6 to the consolidated Financial Statements.

Percentage change in the remuneration of Directors

The table below shows the movement in the salary or fees, benefits and annual bonus for each Director over the last five financial years compared to the equivalent changes for all colleagues of the Company. The comparator group for salaries and benefits is all colleagues in the UK. During the year, UK-based colleagues were provided with a medical cash plan, along with the addition of critical illness cover. There are no employees of NCC Group plc. The comparator group for the bonus is those in the senior management population who also have an annual scheme and excludes those on commission and incentive plans.

Executive Directors

Year	Mike Maddison (CEO)	Guy Ellis (CFO)	All colleagues
% increase in salary
2024/25	2.5%	9.6%	4.67%
2023/24 (16 months)	18.6%	—	7.4%
2023/24 (12 months)	16.5%	—	6.7%
2022/23	—	—	7.9%
2021/22	—	—	5.1%
2020/21	—	—	5.1%
% increase in benefits
2024/25	—	—	139%
2023/24 (16 months)	950.0%	—	—
2023/24 (12 months)	1,000.0%	—	—
2022/23	—	—	—
2021/22	—	—	—
2020/21	—	—	—
% increase in annual bonus
2024/25	(17.0%)	2.0%	(19.0%)
2023/24 (16 months)	1,841.0%	—	561.0%
2023/24 (12 months)	1,241.0%	—	412.0%
2022/23	—	—	(89.0%)
2021/22	—	—	(40.0%)
2020/21	—	—	1.0%

Non-Executive Directors

Non-Executive Directors do not receive benefits and are not eligible to participate in the annual bonus and therefore do not have those rows in the table below.

Year	Chris Stone	Julie Chakraverty	Jennifer Duvalier	Lynn Fordham	Mike Ettling
% increase in salary
2024/25	4.7%	2.9%	3.7%	3.7%	4.4%
2023/24 (16 months)	—	9.6%	—	46.7%	—
2023/24 (12 months)	—	9.0%	—	45.7%	—
2022/23	3.0%	225.0%	2.0%	—	2.0%
2021/22	14.0%	—	29.0%	—	20.0%
2020/21	(5.0%)	—	2.0%	—	(8.0%)

The decrease and subsequent increase of NED fees in 2020/21 and 2021/22 are the results of the removal and reintroduction of the travel allowance and a review of NED fee levels. The travel allowance was removed in 2020/21 due to the lower levels of travel resulting from the reaction to the pandemic and then was reintroduced in 2021/22. The combination of these factors results in changes which are not reflective of changes to NED fee levels.The changes are also affected by the comparison of fees for a full year to fees for a part year when a Director joins or leaves. The increase for the CEO’s / CFO’s salary has been explained within the Committee Chair’s opening statement. The significant increase in CEO bonus in 2023/24 from the previous year was caused by the 2022/23 bonus paying out at a very low level, with the 2023/24 bonus being paid out at a much higher level. For the 2023/24 16 month comparison, this has been annualised to provide a meaningful comparison to the prior year. To note that for the 2022/23 year, Mike Maddison (CEO) joined on 7 July 2022 hence the 2022/23 year is not a full year for comparison purposes. To note that for the 2023/24 year, Guy Ellis (CFO) was appointed on 30 June 2023 hence the 2023/24 period is not a full year for comparison purposes and there is no prior year comparator. The increase to the CFO’s salary above the average increase to colleagues during the year has been explained earlier in the Chair’s introductory letter.

Governance

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 89

Annual Report on Remuneration continued

Chief Executive pay compared to pay of UK colleagues

The following table shows the ratio between the single total figure of remuneration (STFR) of the Chief Executive for 2024/25 and the lower quartile, median and upper quartile pay of our UK colleagues. The salary and total pay and benefits for the lower quartile, median and upper quartile colleagues are also shown.

Financial year	Method	25th percentile pay ratio	50th percentile pay ratio	75th percentile pay ratio
2019/20	Option B	18:1	12:1	8:1
2020/21	Option B	27:1	18:1	11:1
2020/21	Option C	26:1	16:1	12:1
2021/22	Option C	23:1	14:1	10:1
2022/23	Option C	22:1	14:1	10:1
2023/24	Option C	25:1	16:1	11:1
2023/24 (16 months)	Option C	26:1	17:1	11:1
2024/25	Option C	22:1	15:1	9:1

Financial year to 30 September 2025

	Mike Maddison, CEO	25th percentile	50th percentile	75th percentile
Salary (£000)	566	45	69	68
Total pay and benefits (£000)	1,160	52	79	122

CEO pay ratio

The CEO pay ratio has been calculated using Option C, which we deem the most appropriate methodology for NCC Group. Under Option C, we have used the most recent P60 information (for the 2024/25 tax year) to determine the relevant colleague at the 25th, 50th and 75th percentile. As such the data was correct as of 5 April 2025. As in prior years, we have omitted joiners and leavers from the data to ensure that the data is on a like-for-like basis. This option was chosen in preference to the other possibilities as it uses the most accurate and comprehensive data currently available and provides a fair reflection of the total pay received by colleagues. We are satisfied that the applicable colleagues chosen are a fair representation of the workforce. The CEO pay ratio has marginally decreased due to the following reasons: the CEO had a lower than workforce average pay increase for the reasons explained within the Committee Chair’s opening statement, the business adopted a real living wage approach, and is also considering joining the “Living Wage Foundation”, and the pay review philosophy this year was to focus on lower paid colleagues more affected by the continued cost of living pressures. The pay ratio is consistent with the pay, reward and progression policies currently in place at NCC Group.

Performance graph and table

The following graph shows the total shareholder return, with dividends reinvested, from 1 October 2015 against the corresponding changes in a hypothetical holding in shares in both the FTSE All Share and FTSE 250 Indices. The FTSE All Share and FTSE 250 Indices represent broad equity indices. The Company is a constituent member of the FTSE 250 and FTSE All Share Index and the Committee has adopted the FTSE 250 Index for part of its LTIP performance measure. Both indices give a market capitalisation-based perspective. During the financial year ended 30 September 2025, the Company’s share price varied between £1.27 and £1.73 and ended the financial year at £1.48. Ten year historical TSR performance is the growth in the value of a hypothetical £100 holding over ten years. It has been calculated for NCC Group plc and the FTSE All Share, FTSE 250 and FTSE Small Cap Indices (excluding investment trusts) based on spot values.

250
200
150
100
50
0
2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025
£100 £121 £73 £63 £64 £93 £79 £65 £43 £54 £79
Value (£)
NCC Group plc
FTSE All Share Index
FTSE 250 (excluding investment trusts)
FTSE Small Cap (excluding investment trusts)

The share price was £1.73 on 1 October 2024 and £1.48 on 30 September 2025.

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 90

Remuneration Committee report continued

The table below shows the total remuneration for the Chief Executive over the same ten year period, including share awards valued at the date they vested.

Period ended	Incumbent	Total remuneration £000	Annual bonus % of maximum	Long-term incentives % of maximum
30 September 2025	Mike Maddison	1,160	61	20
31 May/30 September 2024	Mike Maddison	1,081/1,513	80/100	—
31 May 2023 1	Mike Maddison	1,005	7.5	—
31 May 2023 2	Adam Palser	26	—	30
31 May 2022	Adam Palser	1,081	60	59
31 May 2021	Adam Palser	1,110	92	40
31 May 2020	Adam Palser	861	23	52
31 May 2019	Adam Palser	679	48	—
31 May 2018 3	Adam Palser	292	3	32
31 May 2018 4	Brian Tenner	257	4	32
31 May 2017	Rob Cotton	610	—	—
31 May 2016	Rob Cotton	1,091	70	20

1 Mike Maddison was appointed on 7 July 2022. The amount above is in respect of the period from 7 July 2022 to 31 May 2023. Mike Maddison was not eligible for long-term incentives vesting in 2023 and 2024. However, LTIP awards vested at 30% and 30% in 2023 and 2024 respectively.

2 Adam Palser stepped down from the Board on 17 June 2022. The amount above is in respect of the period from 1 June 2022 to 17 June 2022.

3 Adam Palser was appointed on 1 December 2017. The total remuneration figure above is in respect of the period from 1 December 2017 to 31 May 2018.

4 During the year ended 31 May 2018, Brian Tenner acted as Interim Chief Executive Officer for the period 1 June 2017 to 30 November 2017. The total remuneration figure above is the total remuneration received in relation to that six month period.

5 Note that this shows the annual bonus payments as a percentage of the maximum opportunity. (For 2024, 80% relates to the 12 months to 31 May 2024, and 100% relates to the four months to 30 September 2024. Two figures are shown due to the change in financial year end and the 16 month financial period.)

6 This shows the LTIP vesting level as a percentage of the maximum opportunity.

Membership and attendance

The Remuneration Committee membership consists solely of Non-Executive Directors and comprises Jennifer Duvalier, Julie Chakraverty and Lynn Fordham. The Company Chair, Chief Executive Officer, SVP, Group Finance, Chief People Officer, Director of Reward and Benefits and Company Secretary attend the Remuneration Committee meetings by invitation of the Chair of the Committee from time to time and assist the Committee with its considerations. No Director is involved in setting their personal remuneration. The attendance of individual Committee members at Remuneration Committee meetings is shown within the table on page 65.

Committee effectiveness

For the reasons described in the Chair’s Introduction to Governance, no Board or Committee evaluation was carried out during the year. Further information can be found on page 68.

Adviser to the Committee

During the year, the Committee received advice on senior executive remuneration from Mercer and was comfortable that the advice was objective and independent. Mercer was appointed via an open tender process. Mercer is a founding member of the Remuneration Consultants Group and is a signatory to its Code of Conduct. The total fee charged in 2024/25 for providing advice in relation to executive remuneration was £75,364 with fees being determined on a time and expenses basis.

Service contracts and letters of appointment

The service contracts and letters of appointment of the current Directors include the following terms:

Date of contract	Notice period
Executive
Mike Maddison	28 April 2022
Guy Ellis	30 June 2023
Non-Executive
Chris Stone	31 March 2017
Julie Chakraverty	27 October 2021
Jennifer Duvalier	25 April 2018
Mike Ettling	21 September 2017
Lynn Fordham	19 July 2022

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 91

Annual Report on Remuneration continued

How will the Remuneration Policy be implemented in the year ending 30 September 2026?

Executive Directors’ base salaries

Increases were made to the base salaries of both Executive Directors for the year ended 30 September 2025. The table below details the Executive Directors’ salaries as at 30 September 2025 and salaries which are in force on 1 October 2025, with the next review of salaries taking place during the year ending 30 September 2026, in line with the wider workforce.

	Base salary at 30 September 2025 £000	Base salary at 1 October 2025 £000	% change
Chief Executive Officer – Mike Maddison	575	575	0%
Chief Financial Officer – Guy Ellis	342	375	9.6%

Pension

Pensions will remain aligned with the level for other colleagues.

Annual bonus

The annual bonus maximum in 2025/26 will be 125% of salary for the Chief Executive Officer and 125% for the Chief Financial Officer, with 60% based on the achievement of Adjusted operating profit targets and 40% based on the achievement of strategic targets. These targets are commercially sensitive and will be disclosed in the next Annual Report. Awards will also be subject to the Committee’s assessment of the overall financial health of the business.In addition, to ensure that this bonus opportunity results in shareholder alignment and provides greater retention value, 35% of any bonus payment will be deferred into nominal cost share options over £50,000 for a period of two years. The bonus, nominal cost share options and associated dividend equivalents are also subject to malus and clawback provisions.

Long Term Incentive Plan (LTIP)

LTIP awards were granted in June 2024, and no further awards were made under the LTIP scheme for the year ended 30 September 2025, with the next round of LTIP awards expected to be made in December 2025/January 2026 during the financial year ending 30 September 2026, which will be for performance period 1 October 2025 to 30 September 2028.

Non-Executive Directors’ fees

In line with the current policy, Non-Executive Director fees are reviewed annually. The last increase to Non-Executive Director fees was applied on 1 June 2022. During the financial year ended 30 September 2025, a review was carried out of Non-Executive Directors’ fees and the decision was taken to increase them by 5%, effective 1 October 2024. Fees will be reviewed again in the financial year ending 30 September 2026:

	FY26	FY25
Chair fee (excluding travel allowance of £8,200)	£166,280	£162,225
Non-Executive Director base fee (excluding travel allowance of £4,750)	£54,000	£54,000
Supplemental fees for additional responsibilities:
SID	£10,000	£10,000
Audit Committee Chair	£11,000	£11,000
Remuneration Committee Chair	£11,000	£11,000
Cyber Security Committee Chair	£8,000	£8,000
Designated NED for workforce engagement	£11,000	£11,000

Remuneration Committee report continued

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 92

Statement of shareholder voting

The following votes were received from the shareholders in respect of the Directors’ Remuneration Report and in respect of the Remuneration Policy:

	Remuneration Report (2025 AGM)		Remuneration Policy (2025 AGM)
	Total number of votes	% of votes cast	Total number of votes	% of votes cast
For	165,819,347	80.33	219,536,691	89.61
Against	40,605,441	19.67	25,454,793	10.39
Total votes cast (for and against excluding withheld votes)	206,424,788		244,991,484
Votes withheld	43,886,409		5,319,714
Total votes cast (including withheld votes)	250,311,197		250,311,198

1 Includes Chair’s discretionary votes.
2 A vote withheld is not a vote in law and is not counted in the calculation of the proportion of votes cast “for” and “against” a resolution.

Approved by the Board and signed on its behalf:

Jennifer Duvalier
Chair, Remuneration Committee
11 December 2025

Governance

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 93

The Directors present their report and the audited Group and Company Financial Statements of NCC Group plc (the “Company”) and its subsidiaries (together, the “Group”) for the financial year ended 30 September 2025.

Principal activities

The Company is a public limited company incorporated in England, registered number 4627044, with its registered office at XYZ Building, 2 Hardman Boulevard, Spinningfields, Manchester M3 3AQ. The principal activity of the Group is the provision of independent advice and services to customers through the provision of software resilience and Cyber Security services. The principal activity of the Company is that of a holding company.

Going concern

At the time of approving the Financial Statements, the Board of Directors is required to formally assess that the business has adequate resources to continue in operational existence and as such can continue to adopt the “going concern” basis of accounting. To support this assessment, the Board is required to consider the Group’s current financial position, its strategy, the market outlook, and its principal risks. The Group’s business activities, together with the factors likely to affect its future development, performance and position, are set out in the Business Review and Financial Review. The Group’s financial position, cash and borrowing facilities are also described within these sections.

The Financial Statements have been prepared on a going concern basis which the Directors consider to be appropriate for the following reasons. The Directors have prepared cash flow and covenant compliance forecasts for 12 months from the date of approval of the Financial Statements which indicate that, taking account of severe but plausible downsides on the operations of the Group and its financial resources, the Group will have sufficient funds to meet its liabilities as they fall due for that period. The going concern period is required to cover a period of at least 12 months from the date of approval of the Financial Statements and the Directors still consider this 12 month period to be an appropriate assessment period due to the Group’s financial position and trading performance and that its current borrowing facilities do not expire until April 2029 (following the Group successfully refinancing in April 2025 – see below and Note 22). The Directors have considered whether there are any significant events beyond the 12 month period which would suggest this period should be longer but have not identified any such conditions or events.

In April 2025, the Group refinanced its borrowing arrangements by entering into a new four year £120m multi-currency revolving credit facility (RCF), with an uncommitted £50m accordion option. This new unsecured facility replaces the previous £162.5m RCF (which was in existence as at 30 September 2024), which was due to expire in December 2026 and included an uncommitted accordion option of up to £75m. The uncommitted accordion option has not been included in the Group’s going concern assessment as it remains subject to lender approval and is therefore not guaranteed at the date of approval of these Financial Statements.

As of 30 September 2025, net cash (excluding lease liabilities) was £13.1m, comprising cash and cash equivalents of £16.4 m, a bank overdraft of £nil, and a drawn revolving credit facility of £5.2m (excluding £1.9 m of unamortised borrowing fees). The Group also had £114.8 m of undrawn committed facilities, excluding an uncommitted accordion facility of £50.0 m. The Group’s day-to-day working capital requirements are met through existing cash resources, the revolving credit facility and receipts from its continuing business activities.

The Group is required to comply with financial covenants for leverage (net debt to Adjusted EBITDA) 1 and interest cover (Adjusted EBITDA 1 to interest charge) that are tested biannually on 31 March and 30 September each year. As of 30 September 2025, leverage amounted to 0.0x and net interest cover amounted to 8.1x compared to a maximum of 3.0x and a minimum of 3.5x respectively. The terms and ratios are specifically defined in the Group’s banking documents (in line with normal commercial practice) and are materially similar to amounts noted in these Financial Statements with the exceptions being net debt which excludes IFRS 16 lease liabilities and Adjusted EBITDA 1.

The Group was in compliance with the terms of all its facilities during the year, including the financial covenants on 30 September 2025, and, based on forecasts, expects to remain in compliance over the going concern period. In addition, the Group has not sought or is not planning to seek any waivers to its financial covenants noted above.

Management has performed base case modelling derived from the FY26 Board-approved budget and forecasts beyond this budgeted period, reflecting scenarios both with and without the potential disposal of its Escode business (incorporating any associated impact on the Group’s banking facilities and expected net cash position). In addition, management has prepared forecasts reflecting severe but plausible downside scenarios, considering the principal risks faced by the Group, such as the loss of key customers and further reductions in the Group’s Technical Assurance Services (‘TAS’) Cyber business. These forecasts, including all scenarios modelled, have been reviewed by the Directors, support their expectation that the Group will operate within its available committed banking facilities and meet its liabilities as they fall due throughout the assessment period. The assumptions underpinning these forecasts (and severe yet plausible downside scenarios) are set out in more detail in the Viability Statement on pages 38 and 39.

Having reviewed the current trading performance, forecasts, debt servicing requirements, total facilities and risks, the Directors are confident that the Group will have sufficient funds to meet its liabilities as they fall due for a period of at least 12 months from the date of approval of Financial Statements. This period is referred to as the going concern period. Accordingly, the Directors continue to adopt the going concern basis of accounting in preparing the Group’s Financial Statements for the year ended 30 September 2025.

Directors’ report

1 Revenue at constant currency, Adjusted EBITDA and net debt excluding lease liabilities are Alternative Performance Measures (APMs) and not IFRS measures. See Appendix 1 for an explanation of APMs and adjusting items, including a reconciliation to statutory information.

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 94

Additionally, the Group remains in the early stages of reviewing a number of strategic options for its Cyber business, however no decision has been made on which option will be pursued as of 11 December 2025. Accordingly, no material uncertainties have been identified that would cast significant doubt on the Group’s ability to continue as a going concern in relation to this ongoing process.

From a Company perspective, the Company places reliance on other Group trading entities for financial support.The Company controls these Group entities and therefore has the ability to direct the financial activities of the Group. Having reviewed the current trading performance, forecasts, debt servicing requirements, total facilities and risks, the Directors are confident that the Company and the Group will have sufficient funds to continue to meet their liabilities as they fall due for a period of at least 12 months from the date of approval of these consolidated Financial Statements, which is determined as the going concern period. Accordingly, the Directors continue to adopt the going concern basis of accounting in preparing the Group’s Financial Statements for the year ended 30 September 2025. There are no post-Balance Sheet events which the Directors believe will negatively impact the going concern assessment.

Results and dividends

The Group’s and Company’s audited Financial Statements for the financial year ended 30 September 2025 are set out on pages 104 to 158. The Directors propose a final dividend of 3.15p per ordinary share, which, together with the interim dividend of 1.5p per ordinary share paid on 1 August 2025, makes a total dividend of 4.65p for the year ended 30 September 2025. The final dividend will be paid on 10 April 2026, subject to approval at the AGM on 3 March 2026, to shareholders on the register at the close of business on 13 March 2026. The ex-dividend date is 12 March 2026.

Share capital and control

At the AGM held on 28 January 2025, the Directors were granted authority to allot up to 104,913,324 ordinary shares representing approximately one-third of the Company’s issued share capital. In addition, the Directors were granted authority to allot a further 104,913,324 ordinary shares, again representing approximately one-third of the Company’s issued share capital, solely to be used in connection with a pre-emptive rights issue. As at 30 September 2025, the Company’s issued ordinary share capital comprised 315,006,079 ordinary shares with a nominal value of 1p each. During the financial year ended 30 September 2025, 481,449 shares in the Company were issued further to the exercise of options pursuant to the Company’s share option schemes. The holders of ordinary shares are entitled, among other rights, to receive the Company’s Annual Reports and Accounts, to attend and speak at general meetings of the Company, to appoint proxies and to exercise voting rights. Details of the movements of the called up share capital of the Company are set out in Note 25 to the Financial Statements and the information in this note is incorporated by reference and forms part of this Directors’ Report.

All rights and obligations attaching to the Company’s ordinary shares are set out in the Company’s Articles of Association (the “Articles”), copies of which can be obtained from the Companies House website or by writing to the Company Secretary. Unless otherwise provided in the Articles, the terms of issue of any shares, any restrictions from time to time imposed by laws or regulations (for example insider trading laws) or pursuant to the UK Market Abuse Regulation whereby certain Directors, officers and colleagues of the Group require the approval of the Company to deal in ordinary shares of the Company, any shareholder may transfer any or all of their shares. The Company is not aware of any agreements between shareholders that may result in restrictions on the transfer of securities and/or voting rights. The Directors may refuse to register a transfer of shares in certificated form that are not fully paid up or otherwise in accordance with the Articles.

Authority to purchase own shares

At the AGM held on 28 January 2025, shareholders authorised the Company to make market purchases of up to 31,473,997 ordinary shares representing approximately 10% of the issued share capital. At the 2026 AGM, shareholders will be asked to give a similar authority. During the year, the Employee Benefit Trust purchased 4m shares in connection with the Company’s employee share plans.

Directors

Biographical details of the Company’s current Directors are set out on pages 62 and 63 together with the names of Directors that have held office during the year. Subject to law and the Company’s Articles of Association, the Directors may exercise all of the powers of the Company and may delegate their power and discretion to Committees. The Company’s Articles of Association give the Directors power to appoint and replace Directors. Under the terms of reference of the Nomination Committee, any appointment to the Board of the Company must be recommended by the Nomination Committee for approval by the Board. The Articles of Association also require one-third of the Directors to retire by rotation each year end and each Director must offer themselves for re-election at least every three years. However, in accordance with previous years and in accordance with best practice, all Directors will submit themselves for re-election at the AGM each year. During the year, no Director had any material interest in any contract of significance in the Group’s business.

Offer period

On 16 July 2025, the Company confirmed that it is in the early stages of commencing a review of all strategic options for its Cyber business (Cyber Review) and that such Cyber Review includes a range of potential outcomes including potential offers for the entire issued and to be issued share capital of the Company (Announcement). The Company gave notice, in accordance with Rule 2.11 of the City Code on Takeovers and Mergers (Code), that it was in an ‘Offer Period’ pursuant to the Code. At the time of approval of these Accounts, the Company remains in this Offer Period.

Governance

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 95

Directors’ and Officers’ insurance and indemnities

The Company maintains Directors’ and Officers’ liability insurance, which provides appropriate cover for any legal action brought against its Directors (including those who served as Directors or Officers during 2024/25). This cover was in place throughout the financial year ended 30 September 2025 and up to the date of this Directors’ Report. The Directors of the Company have also entered into individual deeds of indemnity with the Company which constitute as qualifying third-party indemnity provisions for the purposes of section 234 of the Companies Act 2006. The deeds were in effect during the course of the financial year ended 30 September 2025 for the benefit of the Directors and, at the date of this report, are in force for the benefit of the Directors in relation to certain losses and liabilities which they may incur (or have incurred) in connection with their duties, powers or office.

Colleagues

The Group uses a number of ways to engage with its colleagues on matters that impact them and the performance of the Group. These include briefings by members of the Executive Committee, regular team meetings, the Group’s intranet site, global communications and update emails which together provide, among other information, an awareness of the financial and economic factors affecting the Company’s performance. Further information on how the Directors engage with colleagues along with how colleague interests are taken into account during decision making can be found within the Corporate Governance Report on pages 58 to 70. We also conduct colleague engagement surveys to ensure all colleagues are given a voice in the organisation. We offer colleagues the opportunity to purchase ordinary shares in the Company through participation in either the Company’s Save As You Earn (SAYE) scheme or Employee Stock Purchase Plan (ESPP). Colleagues in the UK also have the opportunity to purchases shares through a Share Incentive Plan (SIP). All these schemes help to encourage colleague interest in the performance of the Group.

Business relationships with suppliers, customers and others

The Directors have summarised how they have fostered the Company’s business relationships with suppliers, customers and others on pages 14 and 15. In addition, on page 65 the Directors have included the principal decisions taken by the Company during the financial year.

Equal opportunities

The Group is committed to providing equality of opportunity to all colleagues without discrimination and applies fair and equitable employment policies which seek to promote entry into and progression within the Group. Appointments are determined solely by application of job criteria, personal ability, behaviour and competency. In the opinion of the Directors, all colleague policies are deemed to be effective and in accordance with their intended aims.

Disabled persons

Disabled persons have equal opportunities when applying for vacancies, with due regard to their aptitudes and abilities. Procedures ensure that disabled colleagues are fairly treated in respect of training and career development. For those colleagues becoming disabled during the course of their employment, the Group is supportive so as to provide an opportunity for them to remain with the Group, wherever reasonably practicable.

Political donations and expenditure

NCC Group believes in the rights of individuals to engage in the democratic process; however, it is NCC Group’s policy not to make political donations. There were no political donations made or political expenditure incurred during the financial year ended 30 September 2025. To be clear, it is not the Company’s policy to make political donations, the Company has not made a political donation in the past, and the Company has no intention either now or in the future of changing its policy or making any political donation or incurring any political expenditure in respect of any political party, political organisation or independent election candidate.# Directors’ Report

The resolution is put forward to allow the Company to support the community and put forward its views to wider business and government entities without running the risk of being in inadvertent breach of the law.

Sustainability Report

The Company’s Sustainability Report provides an update on the Group’s policies and activities in respect of its wider stakeholders, including colleagues; community, environmental, ethical and health and safety issues; and modern slavery.

Overseas branches

As at 30 September 2025, the Group had no overseas branches.

Research and development

We are committed to using innovative, cost effective and practical solutions for providing high quality services and we recognise the importance of ensuring that we focus our investment on the development of technology. The Group’s research and development expenditure is predominantly associated with computer and software systems.

Change of control

In the event of a change of control of the Company, the Group and each of its lenders shall enter into negotiation for a period to determine how the Group’s loan facilities may continue and if after negotiation there is no agreement the lender has the right to cancel the commitment. There are no agreements between the Company and its Directors or colleagues providing for compensation for loss of office or employment (whether through resignation, purported redundancy or otherwise) that occurs because of a takeover bid.

Disclosure of information to the auditor

The Directors who held office at the date of approval of this Directors’ Report confirm that, so far as they are each aware, there is no relevant audit information of which the Company’s auditor is unaware; and each Director has taken all the steps that they ought to have taken as a Director to make themselves aware of any relevant audit information and to establish that the Company’s auditor is aware of that information.

Reappointment of auditor

In accordance with section 489 of the Companies Act 2006, a resolution for the reappointment of PricewaterhouseCoopers LLP (PwC) as auditor of the Company is to be proposed at the forthcoming AGM.

Directors’ report continued

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 96

AGM

The Notice of the Company’s AGM to be held at 1pm on 3 March 2026 at XYZ Building, 2 Hardman Boulevard, Spinningfields, Manchester M3 3AQ, along with details of the business to be proposed and explanatory notes, will be available on the Group’s website together with the Annual Report and Accounts. All shareholders will be notified by post or email, at their request, when the documents have been made available. The Board recognises that the AGM provides an important opportunity to engage with shareholders. Therefore, the Company will ensure that shareholders can submit any questions in writing prior to the AGM as outlined in the Notice of AGM. The result of the poll vote will be made available as soon as possible after the meeting on our website.

Capitalised interest

During the year, no interest was capitalised by the Group (2024: £nil). The tax benefit on this amount was £nil (2024: £nil).

Reporting requirements

The following sets out the location of additional information forming part of the Directors’ Report, which is incorporated by reference into this report:

Reporting requirement	Location
Board’s assessment of the Group’s internal control systems	Corporate Governance Report on page 69 and Audit Committee Report on page 74
Details of uses of financial instruments and specific policies for managing financial risk	Note 23 (Financial Instruments) on pages 144 to 147
Directors’ interests	Remuneration Committee Report on page 88
Directors’ Responsibilities Statement	Directors’ Responsibilities Statement on page 98
Directors’ remuneration including disclosures required by Schedule 5 and Schedule 8 of SI2008/410 – Large and Medium-sized Companies and Groups (Accounts and Reports) Regulations 2008	Remuneration Committee Report on pages 81 to 93
DTR 4.1.8.R – Management Report – the Directors’ Report and Strategic Report comprise the Management Report	Directors’ Report on pages 94 to 97 and Strategic Report on pages 1 to 57
Going Concern Statement	Directors’ Report on pages 94 and 95 and Going Concern section within Note 1 on pages 111 and 112
Greenhouse gas emissions and energy consumption	TCFD Report on pages 22 to 27
Likely future developments of the business and Group	Strategic Report on pages 1 to 57
LR 9.8.4 (4) – Long-term incentive schemes	Remuneration Committee Report on pages 81 to 93
LR 9.8.6 (2) – Substantial shareholders	Shareholder Engagement section of Corporate Governance Report on page 70
Statement on corporate governance	Corporate Governance Report, Audit Committee Report, Nomination Committee Report and Remuneration Committee Report on pages 58 to 93.
Statement of compliance with the UK Corporate Governance Code is on page 60
Strategic Report – Companies Act 2006 section 414A–D	Strategic Report on pages 1 to 57

The Strategic Report on pages 1 to 57 and this Directors’ Report on pages 94 to 97 have been approved and authorised for issue by the Board. They were signed on its behalf by:

Mike Maddison
Chief Executive Officer
11 December 2025

Guy Ellis
Chief Financial Officer
11 December 2025

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 97

Directors’ responsibilities statement

Statement of Directors’ responsibilities in respect of the Financial Statements

The Directors are responsible for preparing the Annual Report and the Financial Statements in accordance with applicable law and regulation. Company law requires the Directors to prepare Financial Statements for each financial year. Under that law the Directors have prepared the Group Financial Statements in accordance with UK-adopted International Accounting Standards and the Company Financial Statements in accordance with United Kingdom Generally Accepted Accounting Practice (United Kingdom Accounting Standards, comprising FRS 101 ‘Reduced Disclosure Framework’, and applicable law).

Under company law, Directors must not approve the Financial Statements unless they are satisfied that they give a true and fair view of the state of affairs of the Group and Company and of the profit or loss of the Group for that period.

In preparing the Financial Statements, the Directors are required to:
* Select suitable accounting policies and then apply them consistently
* State whether applicable UK-adopted International Accounting Standards have been followed for the Group Financial Statements and United Kingdom Accounting Standards, comprising FRS 101, have been followed for the Company Financial Statements, subject to any material departures disclosed and explained in the Financial Statements
* Make judgements and accounting estimates that are reasonable and prudent
* Prepare the Financial Statements on the going concern basis unless it is inappropriate to presume that the Group and Company will continue in business

The Directors are responsible for safeguarding the assets of the Group and Company and hence for taking reasonable steps for the prevention and detection of fraud and other irregularities. The Directors are also responsible for keeping adequate accounting records that are sufficient to show and explain the Group’s and Company’s transactions and disclose with reasonable accuracy at any time the financial position of the Group and Company and enable them to ensure that the Financial Statements and the Directors’ Remuneration Report comply with the Companies Act 2006. The Directors are responsible for the maintenance and integrity of the Company’s website. Legislation in the United Kingdom governing the preparation and dissemination of financial statements may differ from legislation in other jurisdictions.

Directors’ confirmations

The Directors consider that the Annual Report and Accounts, taken as a whole, is fair, balanced and understandable and provides the information necessary for shareholders to assess the Group’s and Company’s position and performance, business model and strategy.

Each of the Directors, whose names and functions are listed in the Board of Directors section of this report, confirms that, to the best of their knowledge:
* The Group Financial Statements, which have been prepared in accordance with UK-adopted International Accounting Standards, give a true and fair view of the assets, liabilities, financial position and profit of the Group
* The Company Financial Statements, which have been prepared in accordance with United Kingdom Accounting Standards, comprising FRS 101, give a true and fair view of the assets, liabilities and financial position of the Company
* The Strategic Report includes a fair review of the development and performance of the business and the position of the Group and Company, together with a description of the principal risks and uncertainties that they face

In the case of each Director in office at the date the Directors’ Report is approved:
* So far as the Director is aware, there is no relevant audit information of which the Group’s and Company’s auditor is unaware
* They have taken all the steps that they ought to have taken as a Director in order to make themselves aware of any relevant audit information and to establish that the Group’s and Company’s auditor is aware of that information

For and on behalf of the Board

Mike Maddison
Chief Executive Officer
11 December 2025

Guy Ellis
Chief Financial Officer
11 December 2025

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 98

Independent auditors’ report to the members of NCC Group plc

Report on the audit of the financial statements

Opinion

In our opinion:
* NCC Group plc’s group financial statements and company financial statements (the “financial statements”) give a true and fair view of the state of the group’s and of the company’s affairs as at 30 September 2025# Independent auditors’ report

to the members of NCC Group plc

Report on the audit of the financial statements

Opinion

In our opinion, the Annual report and accounts for the year ended 30 September 2025 (the "Annual Report") are published on pages 1 to 138.

In our opinion, the financial statements:
* give a true and fair view of the state of the group and of the parent company as at 30 September 2025;
* have been properly prepared in accordance with United Kingdom adopted international accounting standards as applied in accordance with the provisions of the Companies Act 2006; and
* have been properly prepared in accordance with United Kingdom Generally Accepted Accounting Practice (United Kingdom Accounting Standards, including FRS 101 “Reduced Disclosure Framework”, and applicable law).

We have audited the financial statements, included within the Annual report and accounts (the “Annual Report”), which comprise: the Consolidated and Company balance sheets as at 30 September 2025; the Consolidated income statement, the Consolidated statement of comprehensive income, the Consolidated cash flow statement and the Consolidated and Company statements of changes in equity for the year then ended; and the notes to the financial statements, comprising material accounting policy information and other explanatory information. Our opinion is consistent with our reporting to the Audit Committee.

Basis for opinion

We conducted our audit in accordance with International Standards on Auditing (UK) (“ISAs (UK)”) and applicable law. Our responsibilities under ISAs (UK) are further described in the Auditors’ responsibilities for the audit of the financial statements section of our report. We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our opinion.

Independence

We remained independent of the group in accordance with the ethical requirements that are relevant to our audit of the financial statements in the UK, which includes the FRC’s Ethical Standard, as applicable to listed public interest entities, and we have fulfilled our other ethical responsibilities in accordance with these requirements. To the best of our knowledge and belief, we declare that non-audit services prohibited by the FRC’s Ethical Standard were not provided. Other than those disclosed in Audit Committee report, we have provided no non-audit services to the company or its controlled undertakings in the period under audit.

Our audit approach

Overview

Audit scope

The group is organised into 52 management reporting units. The group financial statements are a consolidation of these reporting units and its centralised consolidation adjustments.
Of the 52 reporting units, we identified one reporting unit which, in our view, required an audit of its complete financial information. We also identified further seven management reporting units that required specific audit procedures to be performed over selected financial statement line items. We also performed audit procedures over the consolidation adjustments.
The entities where we conducted audit work, together with audit work performed at the consolidated level, accounted for approximately 87% (2024: 91%) of the group’s total revenue.
For the remaining 44 management reporting units which were not subject to further audit procedures, we performed analytical procedures over 10 of these reporting units to respond to any potential risks of material misstatement in the group financial statements. The remaining 34 reporting units were considered to be inconsequential for the group’s financial statements.
Included within above are the management reporting units relating to the group’s Escode business, which has been reclassified as held for sale and presented as a discontinued operation. Our audit scope included performing specific audit procedures relating to the presentation of the Escode business, including Escode specific consolidation adjustments.

Key audit matters

Recoverability of goodwill in UK and APAC Cyber Security cash generating unit (group)
Recoverability of Investments in subsidiary undertakings (parent)

Materiality

Overall group materiality: £3,000,000 (2024: 3,200,000) based on 1% of total revenue (including discontinued operations).
Overall company materiality: £3,200,000 (2024: £3,400,000) based on 1% of total assets.
Performance materiality: £2,250,000 (2024: 2,400,000) (group) and 2,400,0000 (2024: 2,500,000) (company).

The scope of our audit
As part of designing our audit, we determined materiality and assessed the risks of material misstatement in the financial statements.

Key audit matters

Key audit matters are those matters that, in the auditors’ professional judgement, were of most significance in the audit of the financial statements of the current period and include the most significant assessed risks of material misstatement (whether or not due to fraud) identified by the auditors, including those which had the greatest effect on: the overall audit strategy; the allocation of resources in the audit; and directing the efforts of the engagement team. These matters, and any comments we make on the results of our procedures thereon, were addressed in the context of our audit of the financial statements as a whole, and in forming our opinion thereon, and we do not provide a separate opinion on these matters. This is not a complete list of all risks identified by our audit.

Recoverability of goodwill in UK and APAC Cyber Security cash generating unit is a new key audit matter this year. Recoverability of goodwill in North America Cyber Security cash generating unit, which was a key audit matter last year, is no longer included because of the goodwill relating to the cash generating unit was fully impaired in the previous year. Otherwise, the key audit matters below are consistent with last year.

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 99

Independent auditors’ report continued

to the members of NCC Group plc

Report on the audit of the financial statements continued

Our audit approach continued

Key audit matters continued

| Key audit matter | How our audit addressed the key audit matter We reviewed the assessment of the indicators of impairment and compared this assessment to external market factors, the results of the group’s annual goodwill impairment review and the ongoing Cyber and Escode strategic reviews. We compared the carrying value of the investment to the group’s market capitalisation at the reporting date. We reviewed the disclosures included within note 30 of the financial statements and consider these to be appropriate. As a result of these procedures, we were satisfied with the conclusion that no indicators of impairment were identified.

How we tailored the audit scope

We tailored the scope of our audit to ensure that we performed enough work to be able to give an opinion on the financial statements as a whole, taking into account the structure of the group and the company, the accounting processes and controls, and the industry in which they operate. The group is split into two main reporting segments being Cyber Security and Escode. These reportable segments are organised into 52 management reporting units in a range of different geographies which are structured mainly across Europe and North America. Certain functions relevant for financial reporting are managed by the group’s head office. The financial statements are a consolidation of the group’s management reporting units and its centralised consolidation entries. As the group is headquartered and its principal finance offices are in Manchester, United Kingdom, the group engagement team is also based in Manchester. All audit work was completed by the group engagement team. The management reporting units vary in size. We identified one reporting unit (NCC Group Security Services Limited) that required an audit of its complete financial information due to its size. We also identified a further seven management reporting units that required specific audit procedures to be performed over selected financial statement line items which included Fox-IT Holding B.V, NCC Group Security Services Inc, NCC Group Corporate Limited, NCC Group plc, NCC Services Limited, NCC Group (Solutions) Limited, and NCC Group Software Resilience (NA) LLC. NCC Group plc — Annual report and accounts for the year ended 30 September 2025

Report on the audit of the financial statements continued

Our audit approach continued

How we tailored the audit scope continued

We also performed audit procedures over the consolidation adjustments. The entities where we conducted audit work accounted for approximately 87% (2024: 91%) of the group’s revenue. For the remaining 44 management reporting units which were not subject to further audit procedures, we performed analytical procedures over 10 of these reporting units to respond to any potential risks of material misstatement in the group financial statements. The remaining 34 reporting units were considered to be inconsequential for the group’s financial statements. Included within above are the management reporting units relating to the group’s Escode business, which has been reclassified as held for sale and presented as a discontinued operation. Our audit scope included performing specific audit procedures relating to the presentation of the Escode business, including Escode specific consolidation adjustments. The parent company is comprised of one reporting unit which was subject to a full scope audit for the purposes of the company financial statements.

The impact of climate risk on our audit

We made enquiries of management to understand the process they have adopted to assess the extent of the potential impact of climate risk on the group’s financial statements. The key areas of the financial statements where management evaluated that climate risk has a potential impact are set out in note 1 to the financial statements. The directors have reached the overall conclusion that there has been no material impact on the financial statements for the current period from the potential impact of climate change. We used our knowledge of the group to challenge management’s assessment. We particularly considered how climate risk would impact the assumptions made in the forecasts prepared by management used in their goodwill impairment analysis, going concern and viability. We also considered the consistency of the disclosures in relation to climate change (including the disclosures in the Non-Financial and Sustainability Information Statement) within the Annual Report with the financial statements and our knowledge obtained from our audit. Our procedures did not identify any material impact in the context of our audit of the financial statements as a whole, or on our key audit matters for the year ended 30 September 2025.

Materiality

The scope of our audit was influenced by our application of materiality. We set certain quantitative thresholds for materiality. These, together with qualitative considerations, helped us to determine the scope of our audit and the nature, timing and extent of our audit procedures on the individual financial statement line items and disclosures and in evaluating the effect of misstatements, both individually and in aggregate on the financial statements as a whole. Based on our professional judgement, we determined materiality for the financial statements as a whole as follows:

	Financial statements – group	Financial statements – company
Overall materiality	£3,000,000 (2024: 3,200,000).	£3,200,000 (2024: £3,400,000).

How we determined it

1% of total revenue (including discontinued operations)
1% of total assets

Rationale for benchmark applied

We considered materiality in a number of different ways and used our professional judgement having applied ‘rule of thumb’ percentages to a number of potential benchmarks. On the basis of this, we concluded that 1% of total revenue (including discontinued operations) is an appropriate level of materiality considering the overall scale of the business. The company does not trade and therefore total assets is considered to be the most appropriate benchmark. For each component in the scope of our group audit, we allocated a materiality that is less than our overall group materiality. The range of materiality allocated across components was between £879,000 and £2,325,000. Certain components were audited to a local statutory audit materiality that was also less than our overall group materiality.

We use performance materiality to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements exceeds overall materiality. Specifically, we use performance materiality in determining the scope of our audit and the nature and extent of our testing of account balances, classes of transactions and disclosures, for example in determining sample sizes. Our performance materiality was 75% (2024: 75%) of overall materiality, amounting to £2,250,000 (2024: 2,400,000) for the group financial statements and 2,400,0000 (2024: 2,500,000) for the company financial statements. In determining the performance materiality, we considered a number of factors - the history of misstatements, risk assessment and aggregation risk and the effectiveness of controls - and concluded that an amount in the middle of our normal range was appropriate. We agreed with the Audit Committee that we would report to them misstatements identified during our audit above £150,000 (group audit) (2024: £160,000) and £160,000 (company audit) (2024: £170,000) as well as misstatements below those amounts that, in our view, warranted reporting for qualitative reasons.

Conclusions relating to going concern

Our evaluation of the directors’ assessment of the group’s and the company’s ability to continue to adopt the going concern basis of accounting included:

We obtained directors’ latest going concern assessment, which included reasonably possible scenarios for a) the potential sale of the Escode business is completed within the going concern period; and b) the sale of the Escode business is not completed within the going concern period.
We tested the mathematical integrity of the directors’ going concern forecast models.
We evaluated and assessed the directors’ key assumptions, including assumptions relating to revenue and operating margins, in the going concern assessment over the period to the end of December 2026, which included consideration of the severe but plausible downside scenarios.
We evaluated and challenged management on the impact of the potential sale of the Escode business to the group’s going concern assessment, which included evaluating the impact of the sale to the group’s net debt position and committed financing facilities.
We evaluated the appropriateness of the severe but plausible downside scenarios which took into account the principal risks faced by the group, including the loss of key customers and further reductions in the group’s Technical Assurance Services (TAS) business.
We obtained the terms of the group’s revolving credit facility and the covenants in place in relation to this facility and determined that the directors’ forecasts in reasonably possible scenarios identified by management demonstrated compliance with all covenant conditions for at least 12 months from the date of the approval of the financial statements.
We agreed the opening net debt position within the forecast to bank statements and revolving credit facility statements.
We reviewed the disclosures made in respect of going concern included in the financial statements.# Financial statements

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 101

Independent auditors’ report continued to the members of NCC Group plc

Report on the audit of the financial statements continued

Conclusions relating to going concern continued

Based on the work we have performed, we have not identified any material uncertainties relating to events or conditions that, individually or collectively, may cast significant doubt on the group’s and the company’s ability to continue as a going concern for a period of at least twelve months from when the financial statements are authorised for issue. In auditing the financial statements, we have concluded that the directors’ use of the going concern basis of accounting in the preparation of the financial statements is appropriate. However, because not all future events or conditions can be predicted, this conclusion is not a guarantee as to the group’s and the company’s ability to continue as a going concern. In relation to the directors’ reporting on how they have applied the UK Corporate Governance Code, we have nothing material to add or draw attention to in relation to the directors’ statement in the financial statements about whether the directors considered it appropriate to adopt the going concern basis of accounting. Our responsibilities and the responsibilities of the directors with respect to going concern are described in the relevant sections of this report.

Reporting on other information

The other information comprises all of the information in the Annual Report other than the financial statements and our auditors’ report thereon. The directors are responsible for the other information. Our opinion on the financial statements does not cover the other information and, accordingly, we do not express an audit opinion or, except to the extent otherwise explicitly stated in this report, any form of assurance thereon. In connection with our audit of the financial statements, our responsibility is to read the other information and, in doing so, consider whether the other information is materially inconsistent with the financial statements or our knowledge obtained in the audit, or otherwise appears to be materially misstated. If we identify an apparent material inconsistency or material misstatement, we are required to perform procedures to conclude whether there is a material misstatement of the financial statements or a material misstatement of the other information. If, based on the work we have performed, we conclude that there is a material misstatement of this other information, we are required to report that fact. We have nothing to report based on these responsibilities. With respect to the Strategic report and Directors’ report, we also considered whether the disclosures required by the UK Companies Act 2006 have been included. Based on our work undertaken in the course of the audit, the Companies Act 2006 requires us also to report certain opinions and matters as described below.

Strategic report and Directors’ report

In our opinion, based on the work undertaken in the course of the audit, the information given in the Strategic report and Directors’ report for the year ended 30 September 2025 is consistent with the financial statements and has been prepared in accordance with applicable legal requirements. In light of the knowledge and understanding of the group and company and their environment obtained in the course of the audit, we did not identify any material misstatements in the Strategic report and Directors’ report.

Annual Report on Remuneration

In our opinion, the part of the Annual Report on Remuneration to be audited has been properly prepared in accordance with the Companies Act 2006.

Corporate governance statement

The Listing Rules require us to review the directors’ statements in relation to going concern, longer-term viability and that part of the corporate governance statement relating to the company’s compliance with the provisions of the UK Corporate Governance Code specified for our review. Our additional responsibilities with respect to the corporate governance statement as other information are described in the Reporting on other information section of this report. Based on the work undertaken as part of our audit, we have concluded that each of the following elements of the corporate governance statement, included within the Governance section of the Annual Report is materially consistent with the financial statements and our knowledge obtained during the audit, and we have nothing material to add or draw attention to in relation to:

The directors’ confirmation that they have carried out a robust assessment of the emerging and principal risks;
The disclosures in the Annual Report that describe those principal risks, what procedures are in place to identify emerging risks and an explanation of how these are being managed or mitigated;
The directors’ statement in the financial statements about whether they considered it appropriate to adopt the going concern basis of accounting in preparing them, and their identification of any material uncertainties to the group’s and company’s ability to continue to do so over a period of at least twelve months from the date of approval of the financial statements;
The directors’ explanation as to their assessment of the group’s and company’s prospects, the period this assessment covers and why the period is appropriate; and
The directors’ statement as to whether they have a reasonable expectation that the company will be able to continue in operation and meet its liabilities as they fall due over the period of its assessment, including any related disclosures drawing attention to any necessary qualifications or assumptions.

Our review of the directors’ statement regarding the longer-term viability of the group and company was substantially less in scope than an audit and only consisted of making inquiries and considering the directors’ process supporting their statement; checking that the statement is in alignment with the relevant provisions of the UK Corporate Governance Code; and considering whether the statement is consistent with the financial statements and our knowledge and understanding of the group and company and their environment obtained in the course of the audit. In addition, based on the work undertaken as part of our audit, we have concluded that each of the following elements of the corporate governance statement is materially consistent with the financial statements and our knowledge obtained during the audit:

The directors’ statement that they consider the Annual Report, taken as a whole, is fair, balanced and understandable, and provides the information necessary for the members to assess the group’s and company’s position, performance, business model and strategy;
The section of the Annual Report that describes the review of effectiveness of risk management and internal control systems; and
The section of the Annual Report describing the work of the Audit Committee.

We have nothing to report in respect of our responsibility to report when the directors’ statement relating to the company’s compliance with the Code does not properly disclose a departure from a relevant provision of the Code specified under the Listing Rules for review by the auditors.

NCC Group plc — Annual report and accounts for the year ended 30 September 2025102

Report on the audit of the financial statements continued

Responsibilities for the financial statements and the audit

Responsibilities of the directors for the financial statements

As explained more fully in the Directors’ responsibilities statement, the directors are responsible for the preparation of the financial statements in accordance with the applicable framework and for being satisfied that they give a true and fair view. The directors are also responsible for such internal control as they determine is necessary to enable the preparation of financial statements that are free from material misstatement, whether due to fraud or error. In preparing the financial statements, the directors are responsible for assessing the group’s and the company’s ability to continue as a going concern, disclosing, as applicable, matters related to going concern and using the going concern basis of accounting unless the directors either intend to liquidate the group or the company or to cease operations, or have no realistic alternative but to do so.

Auditors’ responsibilities for the audit of the financial statements

Our objectives are to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error, and to issue an auditors’ report that includes our opinion. Reasonable assurance is a high level of assurance, but is not a guarantee that an audit conducted in accordance with ISAs (UK) will always detect a material misstatement when it exists. Misstatements can arise from fraud or error and are considered material if, individually or in the aggregate, they could reasonably be expected to influence the economic decisions of users taken on the basis of these financial statements. Irregularities, including fraud, are instances of non-compliance with laws and regulations. We design procedures in line with our responsibilities, outlined above, to detect material misstatements in respect of irregularities, including fraud. The extent to which our procedures are capable of detecting irregularities, including fraud, is detailed below. Based on our understanding of the group and industry, we identified that the principal risks of non-compliance with laws and regulations related to employment laws in the countries where the group has more significant operations and data protection laws and regulations, and we considered the extent to which non-compliance might have a material effect on the financial statements.We also considered those laws and regulations that have a direct impact on the financial statements such as local and international tax laws and the Companies Act 2006. We evaluated management’s incentives and opportunities for fraudulent manipulation of the financial statements (including the risk of override of controls), and determined that the principal risks were related to posting inappropriate journal entries to overstate financial performance and revenue recognition and management bias within accounting estimates. Audit procedures performed by the engagement team included:

discussions with management, the Audit Committee and internal audit, including consideration of known or suspected instances of non-compliance with laws and regulations and fraud;
reviewing minutes of meetings of those charged with governance;
auditing the tax computations to evaluate compliance with tax legislation;
identifying and testing journal entries, in particular any journal entries posted with unusual account combinations impacting revenue recognition;
challenging assumptions and judgements made by management in their critical accounting estimates and presentation of individually significant items; and
reviewing financial statement disclosures and testing to supporting documentation where appropriate to assess compliance with applicable laws and regulations.

There are inherent limitations in the audit procedures described above. We are less likely to become aware of instances of non-compliance with laws and regulations that are not closely related to events and transactions reflected in the financial statements. Also, the risk of not detecting a material misstatement due to fraud is higher than the risk of not detecting one resulting from error, as fraud may involve deliberate concealment by, for example, forgery or intentional misrepresentations, or through collusion. Our audit testing might include testing complete populations of certain transactions and balances, possibly using data auditing techniques. However, it typically involves selecting a limited number of items for testing, rather than testing complete populations. We will often seek to target particular items for testing based on their size or risk characteristics. In other cases, we will use audit sampling to enable us to draw a conclusion about the population from which the sample is selected.

A further description of our responsibilities for the audit of the financial statements is located on the FRC’s website at: www.frc.org.uk/auditorsresponsibilities. This description forms part of our auditors’ report.

Use of this report

This report, including the opinions, has been prepared for and only for the company’s members as a body in accordance with Chapter 3 of Part 16 of the Companies Act 2006 and for no other purpose. We do not, in giving these opinions, accept or assume responsibility for any other purpose or to any other person to whom this report is shown or into whose hands it may come save where expressly agreed by our prior consent in writing.

Other required reporting

Companies Act 2006 exception reporting

Under the Companies Act 2006 we are required to report to you if, in our opinion:

we have not obtained all the information and explanations we require for our audit; or
adequate accounting records have not been kept by the company, or returns adequate for our audit have not been received from branches not visited by us; or
certain disclosures of directors’ remuneration specified by law are not made; or
the company financial statements and the part of the Annual Report on Remuneration to be audited are not in agreement with the accounting records and returns.

We have no exceptions to report arising from this responsibility.

Appointment

Following the recommendation of the Audit Committee, we were appointed by the directors on 7 March 2024 to audit the financial statements for the 16-month period ended 30 September 2024 and subsequent financial periods. The period of total uninterrupted engagement is two periods, covering the period ended 30 September 2024 and the year ended 30 September 2025.

Other matter

The company is required by the Financial Conduct Authority Disclosure Guidance and Transparency Rules to include these financial statements in an annual financial report prepared under the structured digital format required by DTR 4.1.15R - 4.1.18R and filed on the National Storage Mechanism of the Financial Conduct Authority. This auditors’ report provides no assurance over whether the structured digital format annual financial report has been prepared in accordance with those requirements.

Hazel Macnamara (Senior Statutory Auditor)
for and on behalf of PricewaterhouseCoopers LLP
Chartered Accountants and Statutory Auditors
Manchester
11 December 2025

Financial statements

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 103

Consolidated income statement for the year ended 30 September 2025

		Year ended 30 September 2024	16 month period ended 30 September 2025
		£m	£m
Continuing operations	Note
Revenue	3	238.9	342.1
Cost of sales	3	(150.5)	(224.1)
Gross profit	3	88.4	118.0
Administrative expenses
Individually Significant Items	4	(9.5)	(41.4)
Depreciation and amortisation	5	(14.0)	(21.6)
Other administrative expenses	3	(82.4)	(112.4)
Total administrative expenses		(105.9)	(175.4)
Profit on disposal of Fox Crypto	4	11.4	—
Operating loss	3	(6.1)	(57.4)
Finance costs	7	(4.9)	(8.2)
Loss before taxation	5	(11.0)	(65.6)
Taxation	8	1.9	(1.6)
Loss from continuing operations		(9.1)	(67.2)
Profit from discontinued operations	16	26.2	34.7
Profit/(loss) for the year/period attributable to owners of the Company	17	17.1	(32.5)
Loss per ordinary share from continuing operations	10
Basic EPS		(3.0p)	(21.6p)
Diluted EPS		(3.0p)	(21.6p)

* Comparatives have been restated to present Escode as a discontinued operation. See Note 16 for further details.

Consolidated statement of comprehensive income for the year ended 30 September 2025

	16 month period ended 30 September 2024	Year ended 30 September 2025
	Restated * £m	£m
Profit/(loss) for the year/period attributable to the owners of the Company	17.1	(32.5)
Other comprehensive loss
Items that may be reclassified subsequently to profit or loss (net of tax)
Reclassification of currency translation reserve on disposal of foreign operations	(7.9)	—
Foreign exchange translation differences from continuing operations	4.9	(2.8)
Exchange differences on translation of discontinued operations (Note 16)	(0.1)	(10.2)
Total other comprehensive loss	(3.1)	(13.0)
Total comprehensive income/(loss) for the year/period (net of tax) attributable to the owners of the Company	14.0	(45.5)
Total comprehensive income/(loss) for the year/period attributable to owners of the Company arises from:
Continuing operations	(12.1)	(70.0)
Discontinued operations	26.1	24.5
	14.0	(45.5)

* Comparatives have been restated to present Escode as a discontinued operation. See Note 16 for further details.

The accompanying Notes 1 to 32 are an integral part of these Consolidated Financial Statements.

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 104

Consolidated balance sheet at 30 September 2025

		30 September 2025	30 September 2024
	Note	£m	£m
Non-current assets
Goodwill	11	46.3	156.5
Intangible assets	11	3.6	89.2
Property, plant and equipment	12	10.5	11.6
Right-of-use assets	13	13.8	15.7
Deferred tax asset	15	1.0	0.6
Total non-current assets		75.2	273.6

Current assets
Trade and other receivables	14	31.8	32.2
Contract assets	21	19.4	20.1
Current tax receivable		5.5	2.9
Cash and cash equivalents	22	12.5	29.8
Derivative financial instruments	23	0.9	—
Assets classified as held for sale	16	198.0	61.5
Total current assets		268.1	146.5
Total assets		343.3	420.1

Current liabilities
Trade and other payables	17	43.1	46.8
Bank overdraft	22	—	13.6
Lease liabilities	18	4.1	5.7
Current tax payable		0.8	1.6
Derivative financial instruments	23	—	0.8
Provisions	19	0.3	1.4
Contract liabilities – deferred revenue	20	25.7	50.7
Liabilities directly associated with assets classified as held for sale	16	39.8	5.7
Total current liabilities		113.8	126.3

Non-current liabilities
Borrowings	22	3.3	61.5
Lease liabilities	18	15.4	21.9
Deferred tax liabilities	15	0.2	0.5
Provisions	19	1.9	1.9
Contract liabilities – deferred revenue	20	2.2	2.8
Total non-current liabilities		23.0	88.6
Total liabilities		136.8	214.9

Net assets		206.5	205.2

Equity
Share capital	25	3.1	3.1
Share premium	25	224.7	224.4
Merger reserve	25	42.3	42.3
Currency translation reserve	25	21.4	24.5
Retained earnings	25	(85.0)	(89.1)
Total equity		206.5	205.2

The accompanying Notes 1 to 32 are an integral part of these consolidated Financial Statements.

These Financial Statements were approved and authorised for issue by the Board of Directors on 11 December 2025. They were signed on its behalf by:

Mike Maddison
Chief Executive Officer
11 December 2025

Guy Ellis
Chief Financial Officer
11 December 2025

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 105

Consolidated cash flow statement for the year ended 30 September 2025

		16 month period ended 30 September 2024	Year ended 30 September 2025
	Note	£m	£m
Cash flows from operating activities
Loss for the year/period of continuing operations		(9.1)	(67.2)
Profit for the year/period from discontinued operations	16	26.2	34.7
Profit/(loss) for year/period including discontinued operations	17	17.1	(32.5)
Adjustments for:
Depreciation of property, plant and equipment	12	4.3	5.4
Depreciation of right-of-use assets	13	5.5	8.1
Amortisation of customer contracts and relationships	11	8.1	12.5
Amortisation of software and development costs	11	2.1	3.3
Impairment of goodwill	11	—	31.0

	Note	2025 £m	2024 £m
Impairment of non-current assets included in ISIs		0.3	3.9
Disposals of non-current assets included in administrative costs		1.2	—
Impairment reversal of non-current assets included in administrative costs		5	—
Impairment reversal of non-current assets included in ISIs		(0.2)	(0.8)
Share-based payments	24	2.1	2.3
Lease financing costs	18	1.1	1.7
Other financing costs		3.8	6.6
Foreign exchange loss		2.7	1.9
Gain on disposal of derecognised lease liabilities		(1.9)	—
Profit on disposal of right-of-use-assets		—	(0.1)
Profit on disposal of businesses	31	(11.3)	(1.6)
Profit on disposal of investment	30	—	(0.1)
Loss on disposal of fixed assets		—	0.1
Loss on disposal of intangible assets	11	0.3	—
Income tax expense	8	3.5	5.0
Cash inflow for the year/period before changes in working capital	3	8.7	8.5
(Increase)/decrease in trade and other receivables		(5.4)	1.3
Decrease/(increase) in contract assets		0.4	(5.9)
Decrease in inventories		—	0.2
Increase/(decrease) in trade and other payables	10	0.3	(11.9)
(Decrease)/increase in contract liabilities		(1.1)	5.5
(Decrease)/increase in provisions		(3.0)	0.7
Cash generated from operating activities before interest and taxation		39.9	38.4
Interest element of lease payments	18	(1.1)	(1.7)
Other interest paid		(3.3)	(6.0)
Taxation paid		(2.0)	(4.3)
Net cash generated from operating activities		33.5	26.4
Cash flows from investing activities
Acquisition of trade and assets as part of business combinations		—	(1.0)
Purchase of property, plant and equipment	12	(4.7)	(6.2)
Software, development and customer contract expenditure		(0.4)	(2.6)
Sale proceeds of business disposals (net of cash disposed of)	4, 30, 31	6	1.4
Net cash generated from investing activities		56.3	2.6
Cash flows from financing activities
Proceeds from the issue of ordinary share capital	25	0.3	0.3
Acquisition of treasury shares		(5.8)	(5.8)
Principal element of lease payments	18	(6.8)	(10.2)
Drawdown of borrowings (net of deferred issue costs)	2	1.1	57.8
Issue costs related to borrowings		(0.3)	—
Repayment of borrowings	80	(0.3)	(75.0)
Equity dividends paid	9	(19.0)	(14.5)
Net cash used in financing activities		(90.8)	(47.4)
Net decrease in cash and cash equivalents (inc. bank overdraft)		(1.0)	(18.4)
Cash and cash equivalents (inc. bank overdraft) at beginning of year/period	16	2	32.3
Effect of foreign currency exchange rate changes		1.2	2.3
Cash and cash equivalents (inc. bank overdraft) at end of year/period	16, 22	16.4	16.2

1 See Note 16 for the operation, financing and investing cash flows of discontinued operations.
2 Inclusive of £3.9m of cash and cash equivalents classified as asset held for sale – see Note 16.
The accompanying Notes 1 to 32 are an integral part of these consolidated Financial Statements.

NCC Group plc — Annual report and accounts for the year ended 30 September 2025

106 Consolidated statement of changes in equity for the year ended 30 September 2025

Currency translation £m	Share capital £m	Share premium £m	Merger reserve £m	Retained earnings £m	Total £m
Balance at 1 June 2023	3.1	224.1	42.3	(28.8)	278.2
Loss for the period	—	—	—	(32.5)	(32.5)
Foreign currency translation differences	—	—	—	(13.0)	(13.0)
Total comprehensive loss for the period	—	—	—	(13.0)	(32.5)
Transactions with owners recorded directly in equity
Dividends to equity shareholders	9	—	—	—	(24.3)
Share-based payments	24	—	—	—	2.3
Acquisition of treasury shares		—	—	—	(5.8)
Shares issued	25	—	0.3	—	—
Total contributions by and distributions to owners	—	0.3	—	—	(27.8)
Balance at 30 September 2024	3.1	224.4	42.3	24.5	(89.1)
Profit for the year	—	—	—	17.1	17.1
Reclassification of currency translation reserve on disposal of foreign operations	31	—	—	(7.9)	—
Foreign currency translation differences	—	—	—	4.8	—
Total comprehensive (loss)/income for the year	—	—	—	(3.1)	17.1
Transactions with owners recorded directly in equity
Dividends to equity shareholders	9	—	—	—	(9.2)
Share-based payments	24	—	—	—	2.1
Current and deferred tax on share-based payments		—	—	—	(0.1)
Acquisition of treasury shares		—	—	—	(5.8)
Shares issued	25	—	0.3	—	—
Total contributions by and distributions to owners	—	0.3	—	—	(13.0)
Balance at 30 September 2025	3.1	224.7	42.3	21.4	(85.0)

The accompanying Notes 1 to 32 are an integral part of these consolidated Financial Statements.

Financial statements NCC Group plc — Annual report and accounts for the year ended 30 September 2025

107 Company balance sheet at 30 September 2025

	Note	30 September 2025 £m	30 September 2024 £m
Non-current assets
Investments in subsidiary undertakings	30	293.2	291.1
Trade and other receivables	14	34.2	43.1
Total non-current assets		327.4	334.2
Current assets
Cash and cash equivalents	22	—	9.8
Total current assets		—	9.8
Total assets		327.4	344.0
Current liabilities
Trade and other payables	17	—	9.9
Total current liabilities		—	9.9
Total liabilities		—	9.9
Net assets		327.4	33 4.1
Equity
Share capital	25	3.1	3.1
Share premium	25	224.7	224.4
Merger reserve	25	42.3	42.3
Retained earnings	25	57.3	64.3
Total equity		327.4	33 4.1

During the year ended 30 September 2025, the Parent Company reported a profit of £0.1m (2024: £38.7m).

The accompanying Notes 1 to 32 are an integral part of these Financial Statements.

These Financial Statements were approved and authorised for issue by the Board of Directors on 11 December 2025. They were signed on its behalf by:

Mike Maddison
Chief Executive Officer
11 December 2025

Guy Ellis
Chief Financial Officer
11 December 2025

NCC Group plc — Annual report and accounts for the year ended 30 September 2025

108 Company statement of changes in equity for the year ended 30 September 2025

Note	Share capital £m	Share premium £m	Merger reserve £m	Retained earnings £m	Total £m
	3.1	224.1	42.3	47.6	317.1
	—	—	—	38.7	38.7
	—	—	—	38.7	38.7
9	—	—	—	(24.3)	(24.3)
	—	—	—	2.3	2.3
25	—	0.3	—	—	0.3
	—	0.3	—	(22.0)	(21.7)
	3.1	224.4	42.3	64.3	33 4.1
	—	—	—	0.1	0.1
	—	—	—	0.1	0.1
9	—	—	—	(9.2)	(9.2)
	—	—	—	2.1	2.1
25	—	0.3	—	—	0.3
	—	0.3	—	(7.1)	(6.8)
	3.1	224.7	42.3	57.3	327.4

The accompanying Notes 1 to 32 are an integral part of these Financial Statements.

Financial statements NCC Group plc — Annual report and accounts for the year ended 30 September 2025

109 Notes to the Financial Statements for the year ended 30 September 2025

1 Material accounting policies

Basis of preparation

NCC Group plc (the “Company”) is a public company incorporated in the UK, with its registered office at XYZ Building, 2 Hardman Boulevard, Spinningfields, Manchester M3 3AQ. The Group Financial Statements consolidate those of the Company and its subsidiaries (together referred to as the “Group”). NCC Group plc is a listed public company, limited by shares, and the Company registration number is 04627044.

The principal activity of the Group is the provision of independent advice and services to customers through the supply of Cyber Security and Escode services. The Parent Company Financial Statements present information about the Company as a separate entity and not about the Group.

These Financial Statements have been approved for issue by the Board of Directors on 11 December 2025.

The Group Financial Statements have been prepared and approved by the Directors in accordance with UK-adopted International Accounting Standards (UK-adopted IFRS) and with the requirements of the Companies Act 2006 as applicable to companies reporting under those standards.

The Parent Company Financial Statements have been prepared in accordance with FRS 101 ‘Reduced Disclosure Framework’ (FRS 101), under the historical cost convention, and in accordance with the Companies Act 2006 and other applicable law. The Company transitioned from UK-adopted International Financial Reporting Standards to FRS 101 in the prior period. The impact of this transition on the net assets of the Parent Company was £nil, as disclosed in the prior period Financial Statements.

As permitted by FRS 101, the Parent Company has taken advantage of the disclosure exemptions available under that standard in relation to standards not yet effective and presentation of a cash flow statement. The accounting policies adopted for the Parent Company are otherwise consistent with those used for the Group as set out within this note.# Material accounting policies

The Company has also taken advantage of the following disclosure exemptions under FRS 101:
* The requirements of paragraphs 91–99 of IFRS 13 ‘Fair Value Measurement’
* The requirements of IFRS 7 ‘Financial Instruments: Disclosure’
* The requirements of 45(b) and 46–52 of IFRS 2 ‘Share-based Payment’
* The requirements in IAS 24 ‘Related Party Disclosures’ to disclose related party transactions entered into between two or more members of a group, provided that any subsidiary which is a party to the transaction is wholly owned by such a member

On publishing the Parent Company Financial Statements here together with the Group Financial Statements, the Company is also taking advantage of the exemption in section 408 of the Companies Act 2006 not to present its individual Income Statement and related notes that form a part of these approved Financial Statements.

The accounting policies set out below have, unless otherwise stated, been applied consistently to all periods presented in these Financial Statements.

Climate change

The Directors have reviewed the potential impact of climate change and the Task Force on Climate-related Financial Disclosures (TCFD) on the consolidated Financial Statements. During the year, the Group has reviewed its materiality assessment to identify which environmental, social and governance issues are most material and significant to the NCC Group business and stakeholders to aid our commitment to achieving net zero by 2050. Our overall exposure to physical and transitional climate change is considered low in the short to medium term due to the nature of the business and cyber assurance industry. The Group continues to evolve its sustainability agenda with further details on its short, medium, medium to long and long-term goals contained within the Non-Financial and Sustainability Information Statement on page 18 of the Annual Report.

The Directors have considered climate change in the following areas of the consolidated Financial Statements (including critical accounting judgements and key sources of estimation uncertainty), noting no material financial impact in each area:
* Going concern assessment
* Property, plant and equipment – economic life and residual values
* Impairment of assets (including right-of-use assets) – the impact of environmental change on growth rates and projected cash flows
* Provisions – recognition of new liabilities or contingent liabilities arising from climate change and the Group physical and transition risks of:
* Greenhouse gas emissions – increased costs associated with more taxes and levies
* Move to net zero – increased costs required to lower emissions
* Margin risk – impact on delivery day rates and associated erosion of profit margin due to increased costs
* Reputational risk – failure to comply with regulations resulting in negative impact on the Group
* Supply chain – increased supply costs and delayed deliveries impacting customer contracts/provision of services
* Extreme weather or rising sea levels – reduction in revenue and increased costs
* Fair value measurement – climate change variables being incorporated into market participant valuations
* Financial instruments – expected credit losses and risk of default on Group borrowings (RCF and term loan)

New and amended accounting standards that have been issued and are effective from 1 January 2025

At the date of authorisation of these Financial Statements, the following new accounting pronouncements have been issued and are effective from 1 January 2025:
* Amendments to IAS 21 ‘The Effects of Changes in Foreign Exchange Rates’, issued in August 2023 and effective from 1 January 2025

These IFRSs are not expected to have a material impact on the Group’s consolidated or the Company’s financial position or performance.

NCC Group plc — Annual report and accounts for the year ended 30 September 2025110

Other new accounting pronouncements

In addition to the above, the following new accounting pronouncements have also been issued which are not yet effective, but the Group is not expecting them to have a significant impact on the Group’s consolidated Financial Statements:
* IFRS 19 ‘Subsidiaries without Public Accountability: Disclosures’, issued in May 2024 and effective from 1 January 2027
* Amendments to IFRS 9 ‘Financial Instruments’ and IFRS 7 ‘Financial Instruments: Disclosures’, issued in May 2024 and effective from 1 January 2026
* Annual improvements to the following IFRS Accounting Standards – amendments to: IFRS 1 ‘First-time Adoption of International Financial Reporting Standards’, IFRS 10 ‘Consolidated Financial Statements’ and IAS 7 ‘Statement of Cash Flows’, issued in July 2024 and effective from 1 January 2026

In addition to the above new standards, the Group also continues to evaluate the potential impact from IFRS 18 ‘Presentation and Disclosure in Financial Statements’, issued in April 2024 and effective from 1 January 2027.

Basis of measurement

The consolidated Financial Statements have been prepared on the historical cost basis except for the revaluation of certain financial instruments.

Functional and presentation currency

The Group and Company Financial Statements are presented in millions of Pounds Sterling (£m) because that is the currency of the principal economic environment in which the Group operates. Items included in the Financial Statements of each of the Group’s entities are measured using the currency of the primary economic environment in which the entity operates (the “functional currency”).

Going concern

The Group is required to comply with financial covenants for leverage (net debt to Adjusted EBITDA)¹ and interest cover (Adjusted EBITDA¹ to interest charge) that are tested bi-annually on 31 March and 30 September each year. As of 30 September 2025, leverage amounted to 0.0x and net interest cover amounted to 8.1x compared to a maximum of 3.0x and a minimum of 3.5x respectively. The terms and ratios are specifically defined in the Group’s banking documents (in line with normal commercial practice) and are materially similar to amounts noted in these Financial Statements with the exceptions being net debt which excludes IFRS 16 lease liabilities and Adjusted EBITDA¹. The Group was in compliance with the terms of all its facilities during the year, including the financial covenants on 30 September 2025, and, based on forecasts, expects to remain in compliance over the going concern period. In addition, the Group has not sought or is not planning to seek any waivers to its financial covenants noted above.

1 Material accounting policies continued

Going concern continued

In addition, management has prepared forecasts reflecting severe but plausible downside scenarios, considering the principal risks faced by the Group, such as the loss of key customers and further reductions in the Group’s Technical Assurance Services (‘TAS’) Cyber business. These forecasts, including all scenarios modelled, have been reviewed by the Directors, support their expectation that the Group will operate within its available committed banking facilities and meet its liabilities as they fall due throughout the assessment period. The assumptions underpinning these forecasts (and severe yet plausible downside scenarios) are set out in more detail in the Viability Statement on pages 38 and 39.

From a Company perspective, the Company places reliance on other Group trading entities for financial support. The Company controls these Group entities and therefore has the ability to direct the financial activities of the Group. Having reviewed the current trading performance, forecasts, debt servicing requirements, total facilities and risks, the Directors are confident that the Company and the Group will have sufficient funds to continue to meet their liabilities as they fall due for a period of at least 12 months from the date of approval of these consolidated Financial Statements, which is determined as the going concern period. Accordingly, the Directors continue to adopt the going concern basis of accounting in preparing the Group’s Financial Statements for the year ended 30 September 2025. There are no post-Balance Sheet events which the Directors believe will negatively impact the going concern assessment.

Revenue at constant currency, Adjusted EBITDA and net debt excluding lease liabilities are Alternative Performance Measures (APMs) and not IFRS measures. See Appendix 1 for an explanation of APMs and adjusting items, including a reconciliation to statutory information.

Business combinations

Business combinations are accounted for by applying the acquisition method at the acquisition date, which is the date on which control is transferred to the Group. The Group controls an entity when the Group is exposed to, or has rights to, variable returns from its involvement with the entity and has the ability to affect those returns through its power over the entity.

Acquisitions and disposals

The Group measures goodwill at the acquisition date as:
* The fair value of the consideration transferred
* The recognised amount of any non-controlling interests in the acquiree
* If the business combination is achieved in stages, the fair value of the existing equity interest in the acquiree
* The fair value of the identifiable assets acquired and liabilities assumed

When the excess is negative, a bargain purchase gain is recognised immediately in profit or loss. The consideration transferred does not include amounts related to the settlement of pre-existing relationships. Such amounts are generally recognised in the Income Statement. Costs related to the acquisition, other than those associated with the issue of debt or equity securities, are expensed as incurred. Any deferred or contingent consideration payable is recognised at fair value at the acquisition date. If the contingent consideration is classified as equity, it is not remeasured, and settlement is accounted for within equity. Otherwise, subsequent changes to the fair value of contingent consideration are recognised in the Income Statement.

On a transaction-by-transaction basis, the Group elects to measure non-controlling interests either at their fair value or at their proportionate interest in the recognised amount of the identifiable net assets of the acquiree at the acquisition date.

The results of subsidiaries acquired or disposed of during the period are included in the Consolidated Income Statement from the effective date of acquisition or up to the effective date of disposal, as applicable. Comparatives are only restated if a disposed business meets the definition of a discontinued operation under IFRS 5 ‘Non-current Assets Held for Sale and Discontinued Operations’. This restatement occurs only when the disposal represents a separate major line of business or geographical area, or is part of a single co-ordinated plan to dispose of such a line or area.

Subsidiaries

Subsidiaries are entities controlled by the Group. The Financial Statements of subsidiaries are included in the consolidated Financial Statements from the date that control commences until the date that control ceases. Control is achieved where the Company has the power to govern the financial and operating policies of an investee entity so as to obtain benefits from its activities. Intercompany transactions and balances between subsidiaries are eliminated on consolidation.

Intangible assets and goodwill

Goodwill represents the amounts arising from the acquisition of subsidiaries, as well as from the acquisition of trade and assets. In respect of business acquisitions that have occurred since 1 June 2004, goodwill represents the difference between the cost of the acquisition and the fair value of the net identifiable assets acquired including identifiable intangible assets. Identifiable intangibles are those which can be sold separately, or which arise from legal rights regardless of whether those rights are separable.

Goodwill is stated at cost less any accumulated impairment losses. Goodwill is allocated to cash generating units (CGUs) and is not amortised but is tested annually for impairment. In respect of equity accounted investees, the carrying amount of goodwill is included in the carrying amount of the investment in the investee.

Research and development

Expenditure on research activities is recognised in the Income Statement as an expense as incurred. Expenditure on development activities is capitalised as “development costs” if the product or process is technically and commercially feasible, if the Group has the technical ability and sufficient resources to complete development, if future economic benefits are probable and if the Group can measure reliably the expenditure attributable to the intangible asset during its development. Development activities involve a plan or design for the production of new or substantially improved products or processes. Subsequent expenditure is capitalised only when it increases the future economic benefits embodied in the specific asset to which it relates. All other expenditure, including expenditure on internally generated goodwill, is recognised in the Income Statement as an expense as incurred.

Software costs

The Group capitalises software costs in accordance with the criteria of IAS 38. Software costs comprise third party costs and internal colleague time costs for internal system developments. Capitalised amounts are initially measured at cost and amortised on a straight-line basis over the period for which the developed system is expected to be in use as a business platform. Software costs incurred as part of a service agreement are only capitalised when it can be evidenced that the Group has control over the resources defined in the arrangement. The expenditure capitalised includes the cost of materials, direct labour, overhead costs that are directly attributable to preparing the asset for its intended use and capitalised borrowing costs. Other development expenditure is recognised in the Consolidated Income Statement as an expense as incurred. Software costs are stated at cost less accumulated amortisation and less accumulated impairment losses.

When the Group incurs customisation and configuration costs, as part of a service agreement for Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS) or Platform-as-a-Service (PaaS), judgement is applied in assessing whether the Group has control over the resources defined in the arrangement. These costs are treated in accordance with the March 2019 IFRIC update with regard to the Customer’s Right to Receive Access to the Supplier’s Software Hosted on the Cloud (IAS 38 ‘Intangible Assets’) and the IFRIC interpretation ratified by the Interpretations Committee in April 2021 with regard to Configuration or Customisation Costs in a Cloud Computing Arrangement, as follows:
* In specific circumstances, development costs incurred may give rise to an identifiable asset, for example where code/intellectual property hosted on third party cloud infrastructure is controlled by the Group and the cost of moving the asset to another provider or bringing on-premise is not prohibitive.

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 112
Notes to the Financial Statements continued
for the year ended 30 September 2025

1 Material accounting policies continued
Software costs continued# Material accounting policies (continued)

Intangible assets

Expenditure on internally generated goodwill is recognised in the Income Statement as an expense as incurred. Intangible assets that are acquired by the Group are stated at cost less accumulated amortisation and less accumulated impairment losses.

Amortisation

Amortisation is charged to the Income Statement on a straight-line basis over the estimated useful economic lives of intangible assets unless such lives are indefinite. Intangible assets with an indefinite useful life and goodwill are systematically tested for impairment at each Balance Sheet date. Intangible assets are amortised from the date they are available for use. The estimated useful lives are as follows:

Acquired customer contracts and relationships – between three and twenty years
Software – between three and five years
Capitalised development costs – between three and five years

Impairment of non-financial assets

The carrying amounts of the Group’s non-financial assets, other than deferred tax assets, are reviewed at each reporting date to determine whether there is any indication of impairment. If any such indication exists, then the asset’s recoverable amount is estimated. For goodwill, and intangible assets that have indefinite useful lives or that are not yet available for use, the recoverable amount is estimated each year at the same time. The Group performed its annual impairment review at 30 September 2025.

The recoverable amount of an asset or cash generating unit is the greater of its value in use (VIU) and its fair value less costs to sell (FVLCTS). FVLCTS has been used for all CGUs for the year ended 30 September 2025 and the comparative period for the period ended 30 September 2024. The FVLCTS valuation of each standalone CGU has been calculated by determining sustainable earnings, which are based on the Adjusted EBITDA 1 , and applying a reasonable market multiple on the calculated sustainable earnings.

For the purpose of impairment testing, assets that cannot be tested individually are grouped together into the smallest group of assets that generates cash inflows from continuing use that are largely independent of the cash inflows of other assets or groups of assets (the “cash generating unit”). The goodwill acquired in a business combination, for the purpose of impairment testing, is allocated to cash generating units (CGUs). Subject to an operating segment ceiling test, for the purposes of goodwill impairment testing, CGUs to which goodwill has been allocated are aggregated so that the level at which impairment is tested reflects the lowest level at which goodwill is monitored for internal reporting purposes. Goodwill acquired in a business combination is allocated to groups of CGUs that are expected to benefit from the synergies of the combination.

An impairment loss is recognised if the carrying amount of an asset or its CGU exceeds its estimated recoverable amount. Impairment losses are recognised in the Income Statement. Impairment losses recognised in respect of CGUs are allocated first to reduce the carrying amount of any goodwill allocated to the units, and then to reduce the carrying amounts of the other assets in the unit (group of units) on a pro rata basis. An impairment loss in respect of goodwill is not reversed.

In respect of other assets, impairment losses recognised in prior periods are assessed at each reporting date for any indications that the loss has decreased or no longer exists. An impairment loss is reversed if there has been a change in the estimates used to determine the recoverable amount. An impairment loss is reversed only to the extent that the asset’s carrying amount does not exceed the carrying amount that would have been determined, net of depreciation or amortisation, if no impairment loss had been recognised.

Related party transactions

A related party is a person or entity that is related to the Group or Company. Related party transactions are the transfer of resources, services or obligations between parties regardless of whether a price is charged. In these circumstances, the Group or Company will disclose the nature of the related party relationship as well as information about the transactions and outstanding balances necessary for an understanding of the potential effect of the relationship on the Financial Statements in accordance with IAS 24 ‘Related Party Transactions’.

Property, plant and equipment

Property, plant and equipment assets are carried at cost less accumulated depreciation and any recognised impairment in value. To the extent that borrowing costs relate to the acquisition, construction or production of a qualifying asset, borrowing costs are capitalised as part of the cost of that asset. Depreciation is charged to the Income Statement on a straight-line basis over the estimated useful economic lives of each part of an item of plant and equipment as follows:

Computer equipment – between three and five years
Fixtures, fittings and equipment – between three and five years
Motor vehicles – four years

Property, plant and equipment is also tested for impairment whenever there is an indication of potential impairment.

Leases

At inception of a contract, the Group assesses whether a contract is, or contains, a lease. A contract is, or contains, a lease if the contract conveys the right to control the use of an identified asset for a period of time in exchange for consideration.

To assess whether a contract conveys the right to control the use of an identified asset, the Group assesses whether:

The contract involves use of the identified asset. This may be specified explicitly or implicitly and should be physically distinct or represent substantially all of the capacity or a physically distinct asset. If the supplier has a substantive substitution right, then the asset is not identified.
The Group has the right to obtain substantially all of the economic benefits from use of the asset and throughout the period of use the Group has the right to direct the use of the asset. The Group has this right when it has the decision-making rights that are most relevant to changing how and for what purpose the asset is used. In rare cases where all the decisions about how and for what purpose the asset is used are predetermined, the Group has the right to direct the use of the asset if either:
- The Group has the right to operate the asset.
- The Group designed the asset in a way that predetermines how and for what purpose it will be used.

The Group recognises a right-of-use asset and a lease liability at the lease commencement date. The right-of-use asset is initially measured at cost, which comprises the initial amount of the lease liability adjusted for any lease payments made at or before the commencement date, and an estimate of costs to dismantle and remove the underlying asset or to restore the underlying asset or the site on which it is located, less any lease incentives received. The right-of-use asset is subsequently depreciated using the straight-line method from the commencement date to the earlier of the end of the useful life of the right-of-use asset or the end of the lease term. The estimated useful lives of right-of-use assets are determined on the same basis as those of property, plant and equipment. In addition, the right-of-use asset is periodically reduced by impairment losses, if any, and adjusted for certain remeasurements of the lease liability.

The lease liability is initially measured at the present value of the lease payments that are not paid at the commencement date, discounted using the interest rate implicit in the lease or, if that rate cannot be readily determined, the Group’s incremental borrowing rate. The lease liability is measured at amortised cost using the effective interest method. It is remeasured when there is a change in future lease payments arising from a change in an index or rate, if there is a change in the Group’s estimate of the amount expected to be payable, or if the Group changes its assessment of whether it will exercise a purchase, extension or termination option. When the lease liability is remeasured in this way, a corresponding adjustment is made to the carrying amount of the right-of-use asset or is recorded in the Income Statement if the carrying amount of the right-of-use asset has been reduced to zero.

The Group has elected not to recognise right-of-use assets and lease liabilities for short-term leases that have a lease term of 12 months or less and leases of low value assets, including certain IT equipment. The Group recognises the lease payments associated with these leases as an expense on a straight-line basis over the lease term. Lease rental costs in respect of short-term leases (less than one year) and low value assets which are exempt from being accounted for under IFRS 16 are charged to the Income Statement on a straight-line basis over the period of the lease.

Investments

Investments in subsidiaries are carried at cost less impairment. Investments in property and unlisted shares are carried at cost less impairment, which is based on the fair value at acquisition.

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 113# Financial instruments

Financial assets and financial liabilities, in respect of financial instruments, are recognised in the Group and Parent Company Balance Sheet when the Group or Company becomes a party to the contractual provisions of the instrument.

Classification and measurement of financial assets and liabilities

Classification of financial assets is generally based on the business model in which the financial asset is managed and its contractual cash flow characteristics. A financial asset is measured at amortised cost if it is held with the objective of collecting the contractual cash flows and its contractual terms give rise on specified dates to cash flows that are solely payments of principal and interest on the principal amount outstanding. All other financial assets are measured at fair value through other comprehensive income or the Income Statement.

Financial assets at amortised cost

Trade and other receivables

Trade and other receivables are classified as financial assets at amortised cost in accordance with IFRS 9 ‘Financial Instruments’. This classification is applied to receivables such that the asset is to collect contractual cash flows. Trade and other receivables are initially recognised at their fair value, which is typically the transaction price. Subsequently, these assets are measured at amortised cost, less any provision for expected credit losses (ECLs). Under the IFRS 9 “expected credit loss” model, a credit event (or impairment “trigger”) no longer needs to occur before credit losses are recognised. The Group analyses the risk profile of trade receivables based on past experience and an analysis of the receivables’ current financial position, potential for a default event to occur, adjusted for specific factors, forward-looking general economic conditions of the industry in which the receivables operate, and assessment of both the current and the forecast direction of conditions at the reporting date. A default event is considered to occur when information is obtained that indicates that a receivable is unlikely to be paid to the Group. Credit risk is regularly reviewed by management to ensure the expected credit loss (ECL) model is being appropriately applied. The Group has performed the calculation of ECL separately for each business unit.

Financial liabilities at amortised cost

Trade payables

Trade payables are other financial liabilities initially measured at fair value and subsequently measured at amortised cost.

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 114

Notes to the Financial Statements continued for the year ended 30 September 2025

1 Material accounting policies continued

Financial liabilities at amortised cost continued

Borrowings

Interest-bearing bank loans are initially recorded at their fair value and subsequently held at amortised cost. Transaction costs incurred are amortised over the term of the loan.

Assets held for sale

Assets are classified as held for sale if their carrying amount is to be recovered principally through a sale transaction rather than through continuing use. This condition is regarded as met only when the sale is highly probable within one year from the date of classification and the assets are available for sale in their present condition. Assets held for sale are stated at the lower of the carrying amount and fair value less costs to dispose.

Discontinued operations

A discontinued operation is a component of the Group that has been disposed of or is classified as held for sale and represents a separate major line of business or geographical area of operation. In accordance with IFRS 5, the post-tax results of discontinued operations and any post-tax gain or loss on disposal or remeasurement to fair value less costs to sell are presented as a single amount in the Consolidated Income Statement. When classified as held for sale, the assets and liabilities of discontinued operations are presented separately in the Consolidated Balance Sheet. Cash flows relating to discontinued operations are disclosed separately in Note 16, including operating, investing and financing activities. Further disclosures, including a breakdown of the Income Statement components and earnings per share from discontinued operations, are provided in the Notes to the Financial Statements.

Revenue recognition

Summary

The Group provides independent global Cyber Security and Escode services.

Cyber Security

During the 16 month period ended 30 September 2024, as part of the Group’s ongoing transformation and the implementation of its new strategy, the Group began to analyse Cyber Security revenue in greater detail by service type and capability, which replaced the previous revenue streams of Global Managed Services (GMS) and Global Professional Services (GPS), as reflected within the prior year segmental information note (Note 3). This change in analysis enables the Group to better focus on existing customers, as well as on simplifying operations and the core services it provides. During the year ended 30 September 2025, the Group has updated its revenue recognition policy to better align with the revenue streams disclosed in Note 3 (segmental information). This update has no impact on the timing or recognition of revenue under IFRS 15 for the current year or prior period. The revenue streams in relation to Cyber Security include:

Managed Services (MS) – operational cyber defence, scanning, simulation and managed security operations centres (SOCs) including Microsoft XDR (Sentinel) propositions. In the prior period, this revenue stream was reported under the Global Managed Services revenue recognition accounting policy, as disclosed in Note 1 of the 2024 Annual Report.
Digital Forensics and Incident Response (DFIR) – incident response including rapid global support during and after cyber attacks. In the prior period, this revenue stream was reported under the Global Managed Services revenue recognition accounting policy, as disclosed in Note 1 of the 2024 Annual Report.
Technical Assurance Services (TAS) and Consulting and Implementation (C&I) – global Cyber Security consultancy services. In the prior period, these revenue streams were reported under the Global Professional Services revenue recognition accounting policy, as disclosed in Note 1 of the 2024 Annual Report.
Other services – sale of own manufactured and/or resale of third party products. In the prior period, this revenue stream was reported under the product sales revenue recognition accounting policy, as disclosed in Note 1 of the 2024 Annual Report.

Escode

The revenue streams in relation to Escode include:

Escrow contract services – securely maintain in “escrow” the long-term availability of business-critical software and applications.
Verification services – verify source code, and provide a fully managed secure service and result validation.

While the detailed recognition is contract specific, and set out in the table on pages 116 to 119, in most cases:

TAS, C&I and DFIR revenues are recognised on an input method over time.
MS revenues are bifurcated according to the separated performance obligations (see pages 116 and 117).
Other services revenues are recognised when control passes, usually on delivery.
Escrow contract revenues are recognised over time.
Verification services are recognised on the completion of the verification service.

Revenue is presented net of VAT and other sales related taxes. Revenue is measured based on the consideration specified in a contract with a customer. The Group recognises revenue when it transfers control over a good or service to a customer. The Group does not have any material obligations in respect of returns, refunds or warranties. The impact of any financing component within contracts with customers has been assessed and concluded to be immaterial. On contract inception, the probability of collectability is assessed across the Group and, unless there is a significant change in facts and circumstances, revenue is recognised. During the year or prior period, no instances have been identified where the collectability has had to be reassessed, nor have there been any new contracts with customers for which the collection of consideration has not been assessed at inception as probable.

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 115

1 Material accounting policies continued

Revenue recognition continued

Detailed policies

The following table provides information about the nature and timing of the satisfaction of performance obligations in contracts with customers by reportable segment, including significant payment terms, and the related revenue recognition policies.

Revenue stream	Nature	Timing of satisfaction of performance obligations and significant payment terms	Revenue recognition policies, including determination of transaction price and rationale
Cyber Security Managed Services (MS)	These services provide operational cyber defence, scanning, simulation and managed security operations centres (SOCs).	The customer will benefit from the services over the period of the contract.	The amount of revenue recognised in relation to the software licence(s) depends on whether the Group acts as an agent or as a principal. The Group acts as principal when the Group controls the specified software licence or service prior to transfer (MSP model). When the Group acts as a principal the revenue recorded is the gross amount billed. The transaction price is determined by a contract price (cost plus mark-up).
	Services are typically for an extended delivery duration, with contract lengths varying up to a maximum of five years.

1 Material accounting policies

Revenue recognition

The proposition often provides Group generally recognises transaction price for the overall service is outlined within the customer with the software three performance obligations: the customer contract. In certain scenarios, the contract licence(s) to enable these • Set-up fees will outline the price for each performance obligation, services to occur. which is considered to be the standalone selling price of • Combined monitoring cyber the services/goods, and the transaction price is allocated On this basis, the Group and licence service to each performance obligation on this basis. Where the operates two types of contracts: • Post-go-live fees contract does not stipulate the price per performance Where the licence and obligation, management determines the relative • A Managed Service Provider monitoring services terms are standalone selling price for each performance obligation (MSP) model whereby the not coterminous, they are based on the residual approach. This is assessed by customer is supplied with treated as separate reference to the total transaction price less the sum of the one complete integrated performance obligations. observable standalone selling prices of the other services service including the promised in the contract. The contract transaction price is software licence(s) The MSP model is considered allocated to each performance obligation in proportion to • A reseller model whereby the to be under a principal those standalone selling prices. Group sources the software arrangement whereby the Under a reseller model, the Group’s responsibility is to licence(s) on behalf of the Group controls the service arrange for a third party to provide a specified software customer and provides the prior to transfer. licence(s) to the customer. In these cases, the Group is Managed Detection and Where a reseller model is acting as an agent, and the Group does not control the Response services selected by the customer, the relevant licence(s) before it is transferred to the customer. These services will also include Group recognises four In particular, the Group does not have inventory risk, have set-up fees. Set-up fees performance obligations: access to its source code or hold the IP rights. represent workshops, design • Sourced software licence(s) When the Group is acting as an agent, the revenue is and configuration to create a • Set-up fees recorded at the net amount retained (commission) at a “connection” between systems. • Monitoring cyber point in time as the customer receives immediate benefit The Group also provides a from access to the licence and the Group does not have certain level of professional • Post-go-live fees any further obligations in relation to the provision of the service consultancy days The reseller model is (including post-go-live fees) considered to be under an licence. The commission transaction value represents the based on day rates. agency arrangement whereby mark-up on the licence provided. The majority of set-up fees relate to the MSP model. the customer receives the Set-up fees are recognised over time of the set-up. The benefit and control of the set-up activities are completed by a separate deployment licence on delivery. team that typically spans a period of one to four months. Invoices are raised based on The set-up activities do not customise the licence provided an agreed invoicing profile with by the third party but only allow a link between the client’s the customer. infrastructure and the software to allow monitoring Invoices are usually payable services to be provided by the Group once the set-up within 30 days. process is completed. On this basis, the client can benefit from each of the goods and services either on their own or Where the Group provides together with the other goods and services that are readily professional services, the professional services, the timing of satisfaction of timing of satisfaction of performance obligations (including payment terms) is the same as described within the TAS and C&I revenue recognition policy.

1 Material accounting policies continued

Revenue recognition continued

Detailed policies continued

Revenue stream	Nature	Timing of satisfaction of performance obligations and significant payment terms	Revenue recognition policies, including determination of transaction price and rationale
Cyber Security
Managed Services (MS) continued
	The set-up fees are based on day rates incurred (defined by an in-house day rate sales pricing matrix). Accordingly, the charge out rates are recognised and allocated to these tasks when performed akin to technical professional day rate services. These rates are considered to be the standalone selling prices and are not discounted or reduced for other services. Post-go-live fees are recognised on delivery of consultancy services over time as the customer obtains incremental benefit from the hours provided. Revenue is recognised on an input basis (day rates) to measure the satisfaction of performance obligations over time. Transaction price is determined by fixed contract rates based upon day rates and number of post-go-live consultancy days.	Where one performance obligation, being a combined monitoring cyber and licence service, is identified in relation to the MSP model monitoring service, revenue is recognised over the contract length as the software and monitoring process is an overall service, whereby the Group retains control of the licence and provides a complete monitoring service to the customer. If the customer cancels the contract, the Group will retain control of the licence. Where separate performance obligations are identified for monitoring services and the licence, revenue is recognised over the period the respective services are offered, in line with the underlying contract. The customer benefits from a 24/7 monitoring service whereby benefit is obtained daily and therefore revenue is recognised on straight-line basis as the performance obligation is satisfied over time. The transaction price is determined by fixed contract rates for the services. Revenue in relation to the reseller model monitoring service is recognised over the contract length on a straight-line basis as the performance obligation is satisfied over time. The customer benefits from a 24/7 monitoring service whereby benefit is obtained daily on straight-line basis. Where the Group provides professional services, the revenue recognition (including the determination of transaction prices) is the same as described within the TAS and C&I revenue recognition policy.
Digital Forensics and Incident Response (DFIR)	DFIR services provide rapid global support during and after cyber attacks, minimising disruption, containing threats, protecting data and enabling swift recovery. DFIR contracts are generally structured on a retainer basis, providing customers with access to DFIR services over a defined contractual period. Invoices are raised based on an agreed invoicing profile with the customer. Invoices are usually payable within 30 days.	The provision of DFIR services on a retainer basis constitutes a series of distinct services that are substantially the same and have the same pattern of transfer to the customer. One performance obligation is identified. Accordingly, revenue is recognised on a straight-line basis over the contractual period. The customer will benefit from the services over the period of the contract.	The transaction price is the fixed retainer fee, which is predetermined within the contract, based on its standalone selling price and spread evenly over the contract duration. Revenue is recognised over time, consistent with the nature of the performance obligation. The entity satisfies its obligation by standing ready to provide DFIR services over the contract term.
Cyber Security continued
Technical Assurance Services (TAS) and Consulting and Implementation (C&I)	These revenue streams represent the Group’s core consulting services, delivered by consultants providing Cyber Security services to customers either over time or based on specific deliverables. Namely: • TAS provides proactive defence of digital assets through vulnerability assessments, penetration testing, adversary simulation, training, third party benefits over time as services	For annuities, the customer simultaneously receives the benefits of the services provision of security services. The customer receives the benefits evenly over time. The performance obligation is satisfied evenly over the length of the contract. For fixed price contracts, the customer simultaneously receives and consumes the benefits over time as services	For annuities, revenue is recognised on a straight-line basis over the contract term, reflecting the continuous provision of security services. The transaction price is predetermined within the contract, based on its standalone selling price and spread evenly over the contract duration. For fixed price contracts, revenue is recognised over time based on an input method that measures progress towards fulfilling the performance obligation. This is calculated using the percentage of project days completed – comparing the number of days actually worked to the total estimated days required to satisfy the obligation.

Financial statements

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 117# Notes to the Financial Statements continued

1 Material accounting policies continued

Revenue recognition continued

Detailed policies continued

Timing of satisfaction of performance obligations and significant payment
Revenue recognition policies, including determination of transaction price and rationale

Revenue stream	Nature	Terms
TAS and C&I services	Since the assurance and ongoing work is performed daily (for example, conducting a security assessment of a customer’s environment), revenue recognition aligns with the ongoing daily effort. The transaction price is fixed upfront, based on agreed-upon day rates that reflect the standalone selling price. For time and materials contracts, revenue is recognised on an input basis by multiplying the actual days delivered by agreed daily rates. The customer benefits daily as services are performed. Contracts with multiple services identify each as a separate performance obligation, and simultaneously receives the benefits of the services provided by the Group in the period over which the work is performed and one promise (performance obligation) is identified. Work is performed on a daily basis.	For time and materials contracts (based upon consultants’ time and expenses), the customer benefits daily as services are performed. The transaction price varies with actual days worked and is based on day rates (defined by an in-house day rate pricing matrix), reflective of the standalone selling price. It is considered that, as the customer benefits over time as services are delivered, and one performance obligation is identified. This is recognised according to the number of days worked, in comparison to the expected total number of days to fulfil the performance obligation. For time and materials contracts, the customer benefits daily as services are performed. The transaction price varies with actual days worked and is based on day rates (defined by an in-house day rate pricing matrix), reflective of the standalone selling price. It is considered that, as the customer benefits over time as services are delivered, and one performance obligation is identified. This is recognised according to the number of days worked, in comparison to the expected total number of days to fulfil the performance obligation. C&I services deliver an obligation identified. This is revenue recognition aligns with the ongoing daily effort. The transaction price is fixed upfront, based on agreed-upon day rates that reflect the standalone selling price. For time and materials contracts, revenue is recognised on an input basis by multiplying the actual days delivered by agreed daily rates. The customer benefits daily as services are performed. Contracts with multiple services identify each as a separate performance obligation, and simultaneously receives the benefits of the services provided by the Group in the period over which the work is performed and one promise (performance obligation) is identified. Work is performed on a daily basis. C&I services deliver an obligation identified. This is revenue recognition aligns with the ongoing daily effort. The transaction price is fixed upfront, based on agreed-upon day rates that reflect the standalone selling price. For time and materials contracts, revenue is recognised on an input basis by multiplying the actual days delivered by agreed daily rates. The customer benefits daily as services are performed. Contracts with multiple services identify each as a separate performance obligation, and simultaneously receives the benefits of the services provided by the Group in the period over which the work is performed and one promise (performance obligation) is identified. Work is performed on a daily basis. C&I services deliver an obligation identified. This is revenue recognition aligns with the ongoing daily effort. The transaction price is fixed upfront, based on agreed-upon day rates that reflect the standalone selling price. For time and materials contracts, revenue is recognised on an input basis by multiplying the actual days delivered by agreed daily rates. The customer benefits daily as services are performed. Contracts with multiple services identify each as a separate performance obligation, and simultaneously receives the benefits of the services provided by the Group in the period over which the work is performed and one promise (performance obligation) is identified. Work is performed on a daily basis. C&I services deliver collaboration to assess security needs, develop tailored strategies, and execute solutions that strengthen organisational security posture and protect critical assets from potential threats. The transaction price varies with actual days worked and is based on day rates (defined by an in-house day rate pricing matrix), reflective of the standalone selling price. It is considered that, as the customer benefits over time as services are delivered, and one performance obligation is identified. This is recognised according to the number of days worked, in comparison to the expected total number of days to fulfil the performance obligation. For all product types referenced above, invoices are raised based on an agreed invoicing profile with the customer. Invoices are usually payable within 30 days. No material discounts or retrospective rebates are provided. In certain situations the Group operates on agreed customer terms, which allow the Group to recover any abortive revenue from its customer in the event that a customer terminates a contract before the contract or deliverable is complete. Other services
Each revenue stream (TAS and C&I) can include the following product types: • Annuity contracts performed over a fixed contract period • Fixed price contracts based on a fixed contract value (derived from day rates) • Time and materials contracts based on actual days incurred and agreed day rates	The customer only benefits from the products on delivery. Invoices are raised based on an agreed invoicing profile with the customer. Invoices are usually payable within 30 days.	Revenue is recognised when control of the product is transferred to the customer. This occurs upon delivery or resale of third party products under the contractual terms. On certain sales of third party products, the control of the product is considered to pass from the vendor to the end customer and in these cases the Group acts as an agent, and hence only records a commission on sale as opposed to gross revenue and costs of sale. Invoices are raised based on an agreed invoicing profile with the customer. Invoices are usually payable within 30 days.

Invoices in relation to any abortive revenue will be recognised when aborted.

Contract costs

Contract costs comprise incremental sales commissions paid to sales agents or external third parties, which can be directly attributed to an acquired or retained contract. Capitalised commission costs are amortised on a systematic basis that is consistent with the transfer to the customer of the services when the related revenues are recognised. In all other cases, all internal and external costs of obtaining the contract are recognised as incurred. Costs directly incurred in fulfilling a contract with a customer, which comprise labour hours on long-term contracts, are recognised as an asset to the extent they are recoverable. Such costs are amortised on a systematic basis that is consistent with the transfer to the customer of the services when the related revenues are recognised.

Accrued income (contract asset)

Accrued income represents the Group’s rights to consideration for work completed but not billed at the reporting date. Remaining balances are transferred to receivables when the rights become unconditional.

Deferred revenue (contract liability)

Deferred revenue represents advanced consideration received from customers for which revenue is recognised over time as services are rendered.

Determination and presentation of operating segments

The Group determines and presents operating segments based on the information that is provided to the Board, which acts as the Group’s Chief Operating Decision Maker (CODM) in order to assess performance and to allocate resources. An operating segment is a component of the Group that engages in business activities from which it may earn revenues and incur expenses, including revenues and expenses that relate to transactions with any of the Group’s other components. An operating segment’s results are reviewed regularly by the CODM to make decisions about resources to be allocated to the segment and to assess its performance.

The Group reports its business in two key segments: the Cyber Security division and the Escode division. The two reporting segments provide distinct types of service. Within each of the reporting segments the operating segments provide a homogeneous group of services. The operating segments are grouped into the reporting segments on the basis of how they are reported to the CODM. Operating segments are aggregated into the two reportable segments based on the types and delivery methods of services they provide, common management structures, and their relatively homogeneous commercial and strategic market environments. Both of the Group’s divisions (segments) are run by a senior executive team; those teams make all decisions on resource allocation, product development, marketing and areas for focus and investment. Where the CODM continues to review the results of a discontinued operation, the related financial information is included within the segmental disclosures in Note 3.

1 Material accounting policies continued

Revenue recognition continued

Detailed policies continued

Timing of satisfaction of performance obligations and significant payment
Revenue recognition policies, including determination of transaction price and rationale

Revenue stream	Nature	Terms
Escode Escrow contract	These services securely maintain in “escrow” the escrow service long-term availability of business-critical software and applications while protecting the intellectual property rights (IPR) of technology partners. The service will include set-up time, which is administrative in nature. Set-up time is not considered distinct or a separate performance obligation due to the administrative nature and therefore is recognised over the period of the contract.	The customer benefits from the escrow service over a contract period, usually at least a year and potentially up to three years. The service represents one performance obligation. Revenue is recognised over time on a straight-line basis evenly over the contract period, representing the service delivery agreement. The nature of the agreement gives rise to the customer having the benefit of Escode if and when required over the contract period. Revenue is recognised on a straight-line basis as the pattern of benefit to the customer as well as the Group’s efforts to fulfil the contract are generally even throughout the period. The transaction price is determined by a contract price. Invoices are raised based on an agreed invoicing profile with the customer. Invoices are usually payable within 30 days.
Verification	These services verify source code based upon an agreed scope between all parties and typically delivered over a short period of time (days). These include SaaS services and ICANN services.	The customer benefits from the verification service on completion of the services because the source code will only have been fully verified/validated at that point. Transaction price is determined by fixed contract rates based upon day rates and number of verification days. The service represents one performance obligation. Invoices are raised monthly or based on an agreed invoicing profile with the customer. Invoices are usually payable within 30 days.

Financial statements

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 119

1 Material accounting policies continued

Allocation of central costs

Some costs are collected and managed in one location but are actually incurred on behalf of multiple operating segments or reporting segments. These costs are then allocated to the reporting segments. The allocation is based on logical or activity driven cost algorithms. The allocation is necessary to give an accurate picture of the consumption of resources by each reporting segment. Where discontinued operations are identified, central overheads that continue to be incurred by the Group (and would be incurred by the Group regardless of a planned disposal) are allocated entirely to continuing operations.

Individually Significant Items (ISIs)

ISIs are identified as those items or projects that based on their size and nature and/or incidence are assessed to warrant separate disclosure to provide supplementary information to support the understanding of the Group’s financial performance.# NCC Group plc — Annual report and accounts for the year ended 30 September 2025

120 Notes to the Financial Statements continued for the year ended 30 September 2025

1 Material accounting policies continued

Foreign currencies
Transactions in foreign currencies are recorded using the appropriate monthly exchange rate ruling at the date of the transaction. Monetary assets and liabilities denominated in foreign currencies are retranslated using the exchange rate ruling at the Balance Sheet date and the gains or losses on translation are included in the Income Statement. The assets and liabilities of overseas subsidiaries denominated in foreign currencies are retranslated at the exchange rate ruling at the Balance Sheet date. The income statements of overseas subsidiary undertakings are translated at the average exchange rates for the financial year. Gains and losses arising on the retranslation of overseas subsidiary undertakings are taken to the currency translation reserve. They are released to the Income Statement upon disposal of the subsidiary to which they relate.

Derivative financial instruments and hedge accounting
The Group holds derivative financial instruments to hedge its foreign currency risk exposures. Derivatives are initially measured at fair value. Subsequent to initial recognition, derivatives are measured at fair value, and changes therein are generally recognised in profit or loss. The Group designates certain derivatives as hedging instruments to hedge the variability in cash flows associated with highly probable forecast transactions arising from changes in foreign exchange rates. At inception of designated hedging relationships, the Group documents the risk management objective and strategy for undertaking the hedge. The Group also documents the economic relationship between the hedged item and the hedging instrument, including whether the changes in cash flows of the hedged item and hedging instrument are expected to offset each other.

Cash flow hedges
When a derivative is designated as a cash flow hedging instrument, the effective portion of changes in the fair value of the derivative is recognised in OCI and accumulated in the hedging reserve. The effective portion of changes in the fair value of the derivative that is recognised in OCI is limited to the cumulative change in fair value of the hedged item, determined on a present value basis, from inception of the hedge. Any ineffective portion of changes in the fair value of the derivative is recognised immediately in profit or loss. The Group designates only the change in fair value of the spot element of forward exchange contracts as the hedging instrument in cash flow hedging relationships. The change in fair value of the forward element of forward exchange contracts (forward points) is separately accounted for as a cost of hedging and recognised in a cost of hedging reserve within equity. When the hedged forecast transaction subsequently results in the recognition of a non-financial item, the amount accumulated in the hedging reserve and the cost of hedging reserve is included directly in the initial cost of the non-financial item when it is recognised. For all other hedged forecast transactions, the amount accumulated in the hedging reserve and the cost of hedging reserve is reclassified to profit or loss in the same period or periods during which the hedged expected future cash flows affect profit or loss. If the hedge no longer meets the criteria for hedge accounting or the hedging instrument is sold, expires, is terminated or is exercised, then hedge accounting is discontinued prospectively. When hedge accounting for cash flow hedges is discontinued, the amount that has been accumulated in the hedging reserve remains in equity until, for a hedge of a transaction resulting in the recognition of a non-financial item, it is included in the non-financial item’s cost on its initial recognition or, for other cash flow hedges, it is reclassified to profit or loss in the same period or periods as the hedged expected future cash flows affect profit or loss. If the hedged future cash flows are no longer expected to occur, then the amounts that have been accumulated in the hedging reserve and the cost of hedging reserve are immediately reclassified to profit or loss.

Defined contribution pensions
The Group operates a defined contribution pension scheme. The assets of the scheme are kept separate from those of the Group in an independently administered fund. The amount charged as an expense in the Income Statement represents the contributions payable to the scheme in respect of the accounting period.

Short-term benefits
Short-term colleague benefit obligations are measured on an undiscounted basis and are expensed as the related service is provided. A liability is recognised for the amount expected to be paid under short-term cash bonus or profit-sharing plans if the Group has a present legal or constructive obligation to pay this amount as a result of past service provided by the colleague and the obligation can be estimated reliably.

Share-based payment transactions
Share-based payments in which the Group receives goods or services as consideration for its own equity instruments are accounted for as equity settled share-based payment transactions, regardless of how the equity instruments are obtained by the Group. The grant date fair value of share-based payment awards granted to colleagues is recognised as a colleague expense, with a corresponding increase in equity, over the period that the colleagues become unconditionally entitled to the awards. The fair value of the options granted is measured using an option valuation model, taking into account the terms and conditions upon which the options were granted.

The amount recognised as an expense is adjusted to reflect the actual number of awards for which the related service and non-market vesting conditions are expected to be met, such that the amount ultimately recognised as an expense is based on the number of awards that do meet the related service and non-market performance conditions at the vesting date. For share-based payment awards with non-vesting conditions and market conditions, the grant date fair value of the share-based payment is measured to reflect such conditions and there is no true-up for differences between expected and actual outcomes. Share-based payment transactions in which the Group receives goods or services by incurring a liability to transfer cash or other assets that is based on the price of the Group’s equity instruments are accounted for as cash settled share-based payments. The fair value of the amount payable to colleagues is recognised as an expense, with a corresponding increase in liabilities, over the period in which the colleagues become unconditionally entitled to payment. The liability is remeasured at each Balance Sheet date and at settlement date. Any changes in the fair value of the liability are recognised as personnel expense within the Income Statement. Where the Company grants options over its own shares to the colleagues of a subsidiary it recognises in its individual Financial Statements, an increase in the cost of investment in that subsidiary equivalent to the equity settled share-based payment charge is recognised in respect of that subsidiary in its consolidated Financial Statements with the corresponding credit being recognised directly in equity.

Holiday or vacation pay
The Group recognises a liability in the Balance Sheet for any earned but not yet taken holiday entitlement for staff. Earned holiday is calculated on a straight-line basis over a holiday year, which can vary by business unit. Taken holiday is based on actually taken holiday. Any movement in the liability between the opening and closing balance in the period is recorded as a colleague cost or a reduction in colleague costs in the Income Statement in the period.

Borrowings
Borrowings are recognised initially at fair value less attributable transaction costs. Subsequent to initial recognition, borrowings are stated at amortised cost with any difference between cost and redemption value being recognised in the Income Statement over the period of the borrowings on an effective interest basis.

Finance costs
Finance costs are recognised within the Income Statement in the period in which they are incurred.

Provisions
Provisions are determined by discounting the expected future cash flows at a pre-tax rate that reflects current market assessments of the time value of money and the risks specific to the liability. The unwinding of the discount is recognised as finance cost.

Taxation
Taxation on the profit or loss for the year/period comprises current and deferred taxation. Taxation is recognised in the Income Statement except to the extent that it relates to items recognised directly in equity, in which case it is recognised in equity. Current tax is the expected tax payable or receivable on the taxable income or loss for the period, using tax rates enacted or substantively enacted at the Balance Sheet date, and any adjustment to tax payable in respect of previous years. Deferred tax is provided on temporary differences between the carrying amounts of assets and liabilities for financial reporting purposes and the amounts used for taxation purposes.# Notes to the Financial Statements

1 Material accounting policies continued

The following temporary differences are not provided for: the initial recognition of goodwill; the initial recognition of assets or liabilities that affect neither accounting nor taxable profit other than in a business combination; and differences relating to investments in subsidiaries to the extent that they will probably not reverse in the foreseeable future. The amount of deferred tax provided is based on the expected manner of realisation or settlement of the carrying amount of assets and liabilities, using tax rates enacted or substantively enacted at the Balance Sheet date. A deferred tax asset is recognised only to the extent that it is probable that future taxable profits will be available against which the temporary difference can be utilised. Deferred tax assets and liabilities are offset where there is a legally enforceable right to offset current tax assets and liabilities and where the deferred tax balances relate to the same taxation authority. Current tax assets and tax liabilities are offset where the entity has a legally enforceable right to offset and intends either to settle on a net basis, or to realise the asset and settle the liability simultaneously. UK research and development expenditure credits (RDECs) are recognised for the UK tax jurisdiction within administrative expenses and R&D US tax credits within income tax for the US tax jurisdiction.

Intra-group financial instruments

From time to time, the Company enters into financial guarantee contracts to guarantee the indebtedness of its subsidiaries. The Company accounts for these contracts under IFRS 9. Financial guarantee contracts are initially measured at fair value and subsequently measured at the higher of fair value and the expected credit loss. Intercompany loans within the Company are repayable on demand and are classified as financial assets. Interest income is recognised using the effective interest method in accordance with IFRS 9.

Cash and cash equivalents

Cash and cash equivalents comprise cash in hand and deposits repayable on demand. Bank overdrafts that are repayable on demand form part of the Group’s cash management and are included as a component of cash and cash equivalents for the purpose only of the Statement of Cash Flows. These facilities are considered to form an integral part of the treasury management of the Group and can fluctuate from positive to negative balances during the period.

Treasury shares

The Group operates an Employee Share Ownership Trust (ESOT), which holds shares for the benefit of employees under the Group’s share-based payment schemes. Shares held by the ESOT are classified as treasury shares in the consolidated Financial Statements and are presented as a deduction from equity. Consideration received for the sale of such shares is also recognised in equity, with any difference between the proceeds from sale and the original cost being taken to reserves. No gain or loss is recognised in the Income Statement on the purchase, sale, issue or cancellation of equity shares. To the extent the Company makes funds available to the ESOT under the terms of a formal loan arrangement, this loan arrangement is recognised as an intergroup loan receivable within current assets. The recoverability of this loan receivable is reviewed at each reporting date, and where objective evidence of impairment exists, an impairment loss is recognised in accordance with IFRS 9 ‘Financial Instruments’.

2 Critical accounting judgements and key sources of estimation uncertainty

The preparation of Financial Statements requires management to exercise judgement in applying the Group’s accounting policies. Different judgements would have the potential to change the reported outcome of an accounting transaction or Balance Sheet. It also requires the use of estimates that affect the reported amounts of assets, liabilities, income and expenses. Actual results may differ from these estimates. Estimates and underlying assumptions are reviewed on an ongoing basis, with changes recognised in the period in which the estimates are revised and in any future periods affected. The table below shows the area of critical accounting judgement and estimation that the Directors consider material and that could reasonably change significantly in the next year.

Accounting area	Accounting judgement?	Accounting estimate?
Carrying value of goodwill	No	Yes

2.1 Critical accounting judgements

No critical accounting judgements have been made in applying accounting policies that have the most significant effects on the amounts recognised in the consolidated Financial Statements.

2.2 Key sources of estimation uncertainty

Information about estimation uncertainties that have a significant risk of resulting in a material adjustment to the carrying values of assets and liabilities within the next financial year is addressed below. While every effort is made to ensure that such estimates and assumptions are reasonable, by their nature they are uncertain, and as such changes in estimates and assumptions may have a material impact. Estimates and assumptions used in the preparation of the Financial Statements are continually reviewed and revised as necessary as at each reporting date. The Directors have considered the impact of climate change on the following estimation uncertainties. Due to nature of the climate change impact on the Group, no material impact has been identified. The key sources of estimation uncertainty disclosed in the Group’s consolidated Financial Statements for the 16 month period ended 30 September 2024 remain applicable for the year ended 30 September 2025. These primarily relate to the carrying value of goodwill.

Carrying value of goodwill

The Group has significant goodwill balances as at 30 September 2025, arising from acquisitions in previous years. The carrying value of goodwill at 30 September 2025 is £46.3m (30 September 2024: £156.5m). Goodwill is tested for impairment annually on 30 September. The Group allocates goodwill to cash generating units (CGUs), representing the lowest level of asset groupings that generate independent cash inflows. For the year ended 30 September 2025, tests for impairment are based on the calculation of a fair value less costs to sell (FVLCTS) which has been used to establish the recoverable amount of each CGU. The FVLCTS valuation of each standalone CGU has been calculated by determining sustainable earnings, which are based on the Adjusted EBITDA ¹ , and applying a reasonable market multiple on the calculated sustainable earnings. The sustainable earnings figures used in this calculation include a key assumption regarding achievable forecast revenue. Reasonable changes in the key assumptions used to determine the sustainable earnings can materially impact the outcomes of the impairment reviews and the impairment charges recognised. An analysis of the Group’s goodwill, the methodology used to test for impairment and sensitivity analysis relating to the sustainable earnings are set out in Note 11.

Regarding the prior period, the two principal areas of estimation uncertainty (whereby reasonable changes in their assumptions could materially impact their respective outcomes) related to:

The impairment of goodwill within the North America Cyber Security CGU
The reallocation of goodwill within the Europe Cyber Security CGU

Impairment of goodwill – North America Cyber Security

This estimate involved a calculation of sustainable earnings, within which the gross margin used was a key assumption, which had the potential to result in material adjustments to the carrying amounts of goodwill. No impact was noted in the current year, given the full goodwill balance was impaired in the prior period.

Reallocation of goodwill – Europe Cyber Security

This estimate involved an allocation of goodwill between the Fox Crypto CGU and the remaining Europe Cyber Security CGU. This was based on a calculation of adjusted relative fair values, within which the revenue used was a key assumption. The goodwill allocated to the Fox Crypto CGU was reclassified as an asset held for sale at 30 September 2024 and was derecognised on 28 March 2025 following the completion of the disposal of Fox Crypto (see Note 31). No further impairments or changes to goodwill allocations have occurred in the year ended 30 September 2025. For further information on the Group’s impairment methodology and sensitivity analyses, refer to Note 11.

¹ Revenue at constant currency, Adjusted EBITDA, and net debt excluding lease liabilities are Alternative Performance Measures (APMs) rather than IFRS measures. For an explanation of APMs and adjusting items, including a reference to the reconciliation with statutory information, please see Appendix 1.

3 Segmental information

The Group is organised into the following two (2024: two) reportable segments: Cyber Security and Escode. The two reporting segments provide distinct types of service. Within each of the reporting segments the operating segments provide a homogeneous group of services. These operating segments are deemed to hold similar economic characteristics. The operating segments are grouped into the reporting segments on the basis of how they are reported to the Chief Operating Decision Maker (CODM) for the purposes of IFRS 8 ‘Operating Segments’, which is considered to be the Board of Directors of NCC Group plc. Operating segments are aggregated into the two reportable segments based on the types and delivery methods of services they provide, common management structures, and their relatively homogeneous commercial and strategic market environments.

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 121
Notes to the Financial Statements continued for the year ended 30 September 2025 122# Segmental information

Performance is measured based on reporting segment profit, with interest and tax not allocated to business segments. There are no intra-segment sales. During the year, the Group’s Escode business has been classified as a discontinued operation as described in Note 16. As the CODM continues to assess the performance of this operation, its results are included in the segmental information presented below. The central and head office cost centre is not considered to be a separate operating segment nor part of any other operating segment as it does not generate any revenues. Included within central and head office are assets and liabilities not specifically allocated to the reporting segments and include investments, head office tangible and intangible assets, deferred tax assets and liabilities, right-of-use assets and associated lease liabilities, Parent Company cash balances, the RCF and certain provisions. Central and head office assets and liabilities are disclosed to allow a reconciliation back to the Group’s assets and liabilities.

Segmental analysis for the year ended 30 September 2025

	Continuing Operations - Central and head office	Continuing Operations - Cyber Security	Continuing Operations - Sub-total	Discontinued operations - Escode	Group Total
£m	£m	£m	£m	£m	£m
Revenue	—	238.9	238.9	66.5	305.4
Cost of sales	—	(150.5)	(150.5)	(19.0)	(169.5)
Gross profit	—	88.4	88.4	47.5	135.9
Gross margin %	—	37.0%	37.0%	71.4%	44.5%
Administrative expenses*	(11.2)	(68.4)	(79.6)	(9.6)	(89.2)
Share-based payments	(2.6)	(0.2)	(2.8)	(0.2)	(3.0)
Depreciation	(2.5)	(6.6)	(9.1)	(0.7)	(9.8)
Amortisation of software and development costs	(0.6)	(1.2)	(1.8)	(0.3)	(2.1)
Amortisation of acquired intangibles	(2.1)	(1.0)	(3.1)	(5.0)	(8.1)
Individually Significant Items (Note 4)	(5.6)	(3.9)	(9.5)	—	(9.5)
Total administrative expenses	(24.6)	(81.3)	(105.9)	(15.8)	(121.7)
Profit on disposal of Fox Crypto	11.4	—	11.4	—	11.4
Operating (loss)/profit	(13.2)	7.1	(6.1)	31.7	25.6
Finance costs	(5.0)
Profit before taxation	20.6
Taxation	(3.5)
Profit for the year attributable to owners of the Company	17.1

In accordance with IFRS 5, £6.8m of head office overheads incurred by the discontinued Escode division during the year have been reallocated to central and head office within continuing operations. This is due to the fact that if an operation is disposed of, the relevant central overheads may not decrease in the short term.

Financial statements

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 123

3 Segmental information continued

	Continuing Operations - Central and head office	Continuing Operations - Cyber Security	Continuing Operations - Sub-total	Discontinued operations - Escode	Group Total
£m	£m	£m	£m	£m	£m
Revenue	—	342.1	342.1	87.4	429.5
Cost of sales	—	(224.1)	(224.1)	(26.7)	(250.8)
Gross profit	—	118.0	118.0	60.7	178.7
Gross margin %	—	34.5%	34.5%	69.5%	41.6%
Administrative expenses*	(13.0)	(97.3)	(110.3)	(14.5)	(124.8)
Share-based payments	(2.0)	(0.1)	(2.1)	(0.2)	(2.3)
Depreciation	(3.5)	(9.4)	(12.9)	(0.6)	(13.5)
Amortisation of software and development costs	(1.8)	(1.5)	(3.3)	—	(3.3)
Amortisation of acquired intangibles	(4.0)	(1.4)	(5.4)	(7.1)	(12.5)
Individually Significant Items (Note 4)	—	(41.4)	(41.4)	(0.1)	(41.5)
Total administrative expenses	(24.3)	(151.1)	(175.4)	(22.5)	(197.9)
Operating (loss)/profit	(24.3)	(33.1)	(57.4)	38.2	(19.2)
Finance costs	(8.3)
Loss before taxation	(27.5)
Taxation	(5.0)
Loss for the period attributable to owners of the Company	(32.5)

In accordance with IFRS 5, £9.6m of head office overheads incurred by the discontinued Escode division during the prior period have been reallocated to central and head office within continuing operations, restating the prior period Escode and central and head office administrative expenses. This is due to the fact that if an operation is disposed of, the relevant central overheads may not decrease in the short term. See Note 16 for further details.

Segmental analysis as at 30 September 2025

	Continuing Operations - Central and head office	Continuing Operations - Cyber Security	Continuing Operations - Sub-total	Discontinued operations - Escode	Group Total
£m	£m	£m	£m	£m	£m
Additions to non-current assets	3.5	7.8	11.3	0.3	11.6
Reportable segment assets	28.9	116.4	145.3	198.0	343.3
Reportable segment liabilities	(32.0)	(65.0)	(97.0)	(39.8)	(136.8)

Segmental analysis as at 30 September 2024

	Continuing Operations - Central and head office	Continuing Operations - Cyber Security	Continuing Operations - Sub-total	Discontinued operations - Escode	Group Total
£m	£m	£m	£m	£m	£m
Additions to non-current assets	4.0	12.6	16.6	1.6	18.2
Reportable segment assets	37.5	183.8	221.3	198.8	420.1
Reportable segment liabilities	(113.0)	(77.2)	(190.2)	(24.7)	(214.9)

The net book value of non-current assets is analysed geographically as follows:

	30 September 2025 £m	30 September 2024 £m
Continuing operations
UK	57.5	57.5
APAC	4.8	5.4
North America	1.6	2.0
Europe	11.3	8.6
Total non-current assets	75.2	73.5
Discontinued operations
UK	24.5	28.4
APAC	—	—
North America	156.4	162.3
Europe	7.6	9.4
Total non-current assets*	188.5	200.1

Non-current assets associated with the Escode division have been reclassified to current assets given it meets the definition of an asset held for sale as at 30 September 2025.

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 124

Notes to the Financial Statements continued for the year ended 30 September 2025

3 Segmental information continued

Revenue is disaggregated by primary geographical market, by category and by timing of revenue recognition as follows:

Revenue by originating country

	Continuing operations - Cyber Security 2025 £m	Continuing operations - Cyber Security 2024 £m	Discontinued operations - Escode 2025 £m	Discontinued operations - Escode 2024 £m	Total 2025 £m	Total 2024 £m
UK	125.8	158.9	29.3	36.5	155.1	195.4
APAC	8.6	14.4	0.1	—	8.7	14.4
North America	56.7	90.7	32.9	45.5	89.6	136.2
Europe	47.8	78.1	4.2	5.4	52.0	83.5
Total revenue	238.9	342.1	66.5	87.4	305.4	429.5

Revenue by category

	Continuing operations - Cyber Security 2025 £m	Continuing operations - Cyber Security 2024 £m	Discontinued operations - Escode 2025 £m	Discontinued operations - Escode 2024 £m	Total 2025 £m	Total 2024 £m
Services	236.0	337.5	66.5	87.4	302.5	424.9
Products	2.9	4.6	—	—	2.9	4.6
Total revenue	238.9	342.1	66.5	87.4	305.4	429.5

Timing of revenue recognition

	Continuing operations - Cyber Security 2025 £m	Continuing operations - Cyber Security 2024 £m	Discontinued operations - Escode 2025 £m	Discontinued operations - Escode 2024 £m	Total 2025 £m	Total 2024 £m
Services and products transferred over time	219.6	322.1	42.9	57.9	262.5	380.0
Services and products transferred at a point in time	19.3	20.0	23.6	29.5	42.9	49.5
Total revenue	238.9	342.1	66.5	87.4	305.4	429.5

The total future revenue from the remaining term of the Group’s continuing operations contracts, for performance obligations not yet delivered as of 30 September 2025, is £232.8m (2024 restated*: £224.2m). The equivalent from discontinued operations is £24.7m (2024: £22.4m). The Group expects this revenue to be recognised over the respective contract terms between FY26 and FY30. The prior period amounts have been restated following the Escode division being classed as a discontinued operation in 2025.

The prior period number has been restated, following a review that identified £4.8m had been incorrectly included.

As part of the Group’s ongoing transformation and the implementation of its new strategy, Cyber Security revenue continues to be analysed in greater detail by service type and capability. This change in analysis enables the Group to better focus on existing customers, as well as on simplifying operations and the core services provided. The analysis is as follows:

	2025 £m	2024 £m
Continuing operations
Technical Assurance Services (TAS)	88.4	141.4
Consulting and Implementation (C&I)	48.5	55.2
Managed Services (MS)	76.4	91.8
Digital Forensics and Incident Response (DFIR)	13.1	20.6
Other services	12.5	33.1
Total Cyber Security revenue	238.9	342.1

In compliance with IFRS 8, the Group had one external customer contributing £33.7m of revenue for the year ended 30 September 2025, representing more than 10% of the Group’s total revenue. This revenue is attributable to the Cyber Security reportable segment. There were no individual external customers contributing more than 10% of revenue in the prior period.

Financial statements

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 125

3 Segmental information continued

Revenues from the Escode business, classified as a discontinued operation for the year ended 30 September 2025, have been analysed by service line:

	Discontinued operations 2025 £m	Discontinued operations 2024 £m
Escrow contracts	43.0	57.2
Verification services	23.5	30.2
Total Escode revenue	66.5	87.4

4 Individually Significant Items (ISIs)

The Group separately identifies items as Individually Significant Items. Each of these is considered by the Directors to be sufficiently unusual in terms of nature or scale so as not to form part of the underlying performance of the business. They are therefore separately identified and excluded from adjusted results (as explained in Appendix 1).

Reference	2025 £m	2024 £m
Fundamental reorganisation costs (a)	3.9	9.4
Costs associated with strategic review of Escode business (b)	3.8	0.1
Costs associated with strategic review of Cyber business (c)	1.8	—
Profit on disposal of DetACT/DDI (d)	—	(1.5)
North America Cyber Security goodwill impairment (e)	—	31.9
Transaction costs of Fox Crypto (f)	—	1.6
Total ISIs (excluding profit on disposal of Fox Crypto)	9.5	41.5
Profit on disposal of Fox Crypto (f)	(11.4)	—
Total ISIs	(1.9)	41.5

(a) Fundamental reorganisation costs

In order to implement the next chapter of the Group’s strategy to enhance future growth, certain strategic actions are required including reshaping the Group’s global delivery and operational model. This reshaping is considered a fundamental reorganisation and restructuring programme that will span reporting periods, and the total project size and nature are considered in totality.The programme commencement was accelerated following the Group experiencing specific market conditions that validated the rationale of the next chapter of the Group’s strategy. The programme included three planned phases (with phase 3 remaining in progress as at 30 September 2025) as follows:
• Phase 1 (March–April 2023) – initial reduction in global delivery and operational headcount, and c.7% reduction of the Group’s global headcount.
• Phase 2 (June–September 2023) – a further reduction in the global delivery, operational and corporate functions’ headcount prior to opening our offshore operations and delivery centre in Manila.
• Phase 3 (October 2023–December 2025) – the Group’s intention remains for phase 3 of the reorganisation to complete by December 2025; however, this will continue to be monitored as the transformation strategy progresses as we ensure the operating model is market aligned, and delivery is focused to support the underlying Cyber Security business strategy.

Costs of £3.9m (2024: £9.4m) and a cash outflow of £3.8m (2024: £6.0m) have been incurred in relation to the implementation of this reorganisation. These costs primarily consist of severance payments, associated taxes, and professional fees for advisory and legal services. The reorganisation costs include £0.3m (2024: £3.4m) related to property rationalisation. This comprises £0.1m (2024: £3.5m) in property closure impairment charges and £nil (2024: £0.4m) in fixed asset impairment charges, both relating to non-current assets. Additionally, £nil (2024: £0.7m) relates to non-rental provision costs. Offsetting these costs are £0.2m (2024: £0.8m) in non-current asset impairment reversals and £nil (2024: £0.4m) in provision reversals. These costs and reversals reflect the impact of a reduction in the Group’s global headcount, leading to decreased office utilisation and a re-evaluation of the global property portfolio. It is expected that costs will continue to be incurred into FY26. The Group will need to exercise judgement in assessing whether restructuring items should be classified as ISIs. This assessment will consider the nature of the item, its cause, the scale of its impact on reported performance, the resulting benefits, and alignment with the original reorganisation programme’s principles and plans.

(b) Costs associated with strategic review of Escode business

In February 2023, the Group announced the commencement of a strategic review of its Escode business and other core and non-core assets. The review of the Escode business was subsequently stopped in June 2023, which was reinforced within the Group’s 2024 Annual Report and Accounts. However, during the year ended 30 September 2025, the Group confirmed that it was exploring a number of options for its Escode business, including a potential sale. This was subsequently reinforced by the Group’s trading update issued on 21 October 2025. Professional fees of £3.8m (2024: £0.1m) have been incurred during the year, primarily relating to advisory support services. These costs meet the Group’s policy for inclusion as ISIs, having been incurred as part of the wider restructuring and reorganisation activities ongoing within the Group. Costs of £3.8m (2024: £0.1m) and a cash outflow of £1.8m (2024: £0.1m) have been incurred.

On 28 April 2025, the Group confirmed that it was investigating a number of options for its Escode business including a potential sale. On 16 July 2025 the Company confirmed that it was in the early stages of commencing a review of all strategic options for its Cyber business in the event the sale of the Escode business is agreed (the "Cyber Review"). This was subsequently reinforced by the Group’s trading update issued on 21 October 2025. This process remains at a very early stage, and as at 30 September 2025, no decisions had been made regarding which option will be pursued.

NCC Group plc — Annual report and accounts for the year ended 30 September 2025126
Notes to the Financial Statements continued for the year ended 30 September 2025

4 Individually Significant Items (ISIs) continued

During the year the Group has incurred professional fees of £1.8m (2024: £nil) in relation to the Cyber review, primarily relating to advisory support services. Costs of £1.8m (2024: £nil) and a cash outflow of £0.9m (2024: £nil) have been incurred.

(d) Profit on disposal of DetACT/DDI

In the prior period, on 30 April 2024, the Group disposed of its DetACT business for cash consideration of £8.2m. A profit of £1.6m was recognised in relation to this disposal. There has been no impact in the current year. On 31 December 2022, the Group disposed of its DDI business for a total consideration of £5.8m, consisting of a cash payment of £2.0m and contingent consideration of £3.8m. This disposal resulted in a profit of £nil (2024: £nil) directly attributable to the DDI business sale. Further details are available in the 2024 Annual Report. The Group classified these proceeds under ISIs due to the material profit on disposal. During the period ended 30 September 2024 the £3.8m contingent consideration identified in 2023 was received, and a £0.1m reclassification related to the final tranche payment was recorded. No additional contingent consideration payments were received in the year ended 30 September 2025.

(e) North America Cyber Security goodwill impairment

Following the impairment review of goodwill as at 31 May 2024, an impairment of £31.9m was recognised in North America Cyber Security for the period ended 30 September 2024. No further impairment has been recognised in the year ended 30 September 2025. For further details, please refer to Note 11.

(f) Profit on disposal/transaction costs of Fox Crypto B.V.

On 28 March 2025, the Group completed the disposal of Fox Crypto B.V. to CR Group Nordic AB for a gross cash consideration of £65.6m. A gain on disposal of £11.3m has been recognised within ISIs in the year ended 30 September 2025, calculated as cash consideration of £65.6m, less net assets disposed of £52.3m and transaction costs of £2.0m incurred in the year. An additional £1.5m of related transaction costs were recognised in ISIs in the 16 month period ended 30 September 2024. After accounting for these, the total gain on disposal amounts to £9.8m. Refer to Note 31 for further details, including a reconciliation of the gain on disposal. A further £0.1m of other transaction costs was included in the prior period that did not relate to Fox Crypto. As this represents a material gain on disposal, this has been classified as a separate line item within the Income Statement. Since completion of the deal, £0.1m (2024: £nil) of income has been earned under a six month transactional services agreement (TSA), bringing the overall impact relating to Fox Crypto to £11.4m.

5 Expenses and auditor’s remuneration

Group 2025 £m	Auditor’s remuneration
	Profit/(loss) before taxation is stated after charging:
	Amounts receivable by auditor and its associates in respect of:
	Audit of the Parent and consolidated annual Financial Statements	1.5
	Audit of Financial Statements of subsidiaries pursuant to legislation	0.1
	Other assurance services (see Audit Committee Report on page 71 for further information)	0.1
	Total audit	1.7

Continuing operations 2025 £m	Discontinued operations 2025 £m	Group 2025 £m
Profit/(loss) before taxation is stated after charging/(crediting):
Amortisation of software costs (Note 11)	1.4	—	1.4
Amortisation of acquired intangibles (Note 11)	3.1	5.0	8.1
Amortisation of development costs (Note 11)	0.4	0.3	0.7
Depreciation of property, plant and equipment (Note 12)	4.1	0.2	4.3
Depreciation of right-of-use assets (Note 13)	5.0	0.5	5.5
Loss on disposal of non-current assets (Note 12)	1.2	—	1.2
Other impairment charge of non-current assets (Note 13)	0.3	—	0.3
Impairment reversal of non-current assets (Note 13)	(0.2)	—	(0.2)
Profit on disposal of Fox Crypto B.V. (Note 4)	(11.4)	—	(11.4)
Individually Significant Items (ISIs) (Note 4)	9.5	—	9.5
Net impairment gains on financial and contract assets (Note 21)	(0.3)	—	(0.3)
Foreign exchange losses	2.7	—	2.7
Research and development UK tax credits	0.4	—	0.4
Gain on disposal following derecognition of lease liabilities	(1.9)	—	(1.9)

Financial statements NCC Group plc — Annual report and accounts for the year ended 30 September 2025 127

5 Expenses and auditor’s remuneration continued

Auditor’s remuneration Group 2024 £m
Profit/(loss) before taxation is stated after charging:
Amounts receivable by auditor and its associates in respect of:
Audit of the Parent and consolidated annual Financial Statements	1.6
Audit of Financial Statements of subsidiaries pursuant to legislation	0.1
Other assurance services (see Audit Committee Report on page 71 for further information)	0.1
Total audit	1.8

Continuing operations 2024 £m	Discontinued operations 2024 £m	Group 2024 £m
Profit/(loss) before taxation is stated after charging/(crediting):
Amortisation of development costs (Note 11)	1.3	—	1.3
Amortisation of software costs (Note 11)	2.0	—	2.0
Amortisation of acquired intangibles (Note 11)	5.4	7.1	12.5
Depreciation of property, plant and equipment (Note 12)	5.1	0.3	5.4
Depreciation of right-of-use assets (Note 13)	7.8	0.3	8.1
Other impairment charge of non-current assets	0.5	0.4	0.9
Individually Significant Items (ISIs) (Note 4)	41.4	0.1	41.5
Net impairment losses on financial and contract assets (Notes 14 and 21)	0.4	—	0.4
Cost of inventories recognised as an expense	0.8	—	0.8
Foreign exchange losses	1.9	—	1.9
Research and development UK tax credits	(0.3)	(0.2)	(0.5)
Profit on disposal of right-of-use assets	(0.1)	—	(0.1)

1 The only non-audit services provided by the auditor were the interim review for the half year ended 31 March 2025, for which the fee was £80,000 (31 May 2024 interim review: £80,000), and access to a genericonline accounting manual, for which the fee was £2,000 (2024: £2,000).

6 Staff numbers and costs

Directors’ emoluments are disclosed in the Remuneration Committee Report. Total aggregate emoluments of the Directors in respect of the year ended 30 September 2025 were £2.5m (2024: £3.4m). Employer contributions to pensions for Executive Directors for qualifying periods were £40,000 (2024: £50,000). The Company provided pension payments in lieu of pension contributions for two (2024: three) Executive Directors during the year ended 30 September 2025. The aggregate net value of share awards granted to the Directors in the year was £nil (2024: £3.7m). The net value has been calculated by reference to the closing mid-market price of the Company’s shares on the day before the date of grant. During the year, no (2024: 5,000) share options were exercised by Directors and their gain on exercise of share options was £nil (2024: £5,000).

The average monthly number of persons employed by the Group during the year, including Executive Directors and discontinued operations, is analysed by category as follows:

Number of colleagues	2025	2024
Operational	1,642	1,733
Administration	498	468
Total	2,140	2,201

The aggregate payroll costs (inclusive of Executive Directors and discontinued operations) of these persons were as follows:

	2025	2024
	£m	£m
Wages and salaries	177.2	247.4
Share-based payments (Note 24)	2.1	2.3
Social security costs	16.6	25.9
Other pension costs (Note 28)	7.4	8.0
Total payroll costs	203.3	283.6

NCC Group plc — Annual report and accounts for the year ended 30 September 2025128
Notes to the Financial Statements continued for the year ended 30 September 2025

7 Finance costs

	2024	2025
	Restated *	Continuing operations
	£m	£m
Interest payable on bank loans and overdrafts	3.8	6.6
Interest expense on lease liabilities *	1.1	1.6
Total Finance costs	4.9	8.2

Comparatives have been restated to present Escode as a discontinued operation. Refer to Note 16 for further details.
The above finance costs relate entirely to liabilities not at fair value through profit or loss.

8 Taxation

Recognised in the Income Statement

	2024	2025
	Restated *
	£m	£m
Current tax expense
Current year/period	1.7	1.6
Overseas current tax for the year/period	2.5	6.0
Impact of prior period US R&D tax credits	(1.0)	(1.8)
Adjustments in respect of prior periods	1.0	(2.6)
Total current tax	4.2	3.2
Deferred tax expense
Origination and reversal of temporary differences	(0.9)	(1.2)
Impact of prior period US R&D tax credits	0.3	(0.2)
Adjustment to tax expense in respect of prior periods	(0.1)	3.2
Total deferred tax	(0.7)	1.8
Total tax expense	3.5	5.0

Tax (credit)/expense is attributable to:


Loss from continuing operations	(1.9)	1.6
Profit from discontinued operations	5.4	3.4
	3.5	5.0

Comparatives have been restated to present Escode as a discontinued operation. See Note 16 for further details.

Reconciliation of taxation

	2024	2025
	Restated *
	£m	£m
Loss before taxation from continuing operations	(11.0)	(65.6)
Profit before taxation from discontinued operations	31.6	38.1
	20.6	(27.5)
Current tax using the UK effective corporation tax rate of 25% (2024: 25%)	5.2	(6.9)
Effects of:
Items not deductible for tax purposes	1.7	5.0
Adjustment to tax charge in respect of prior periods	0.9	0.6
Impact of prior period US R&D tax credits	(0.7)	(2.0)
Impact of current year/period US R&D tax credits	(0.1)	0.3
Differences between overseas tax rates	0.2	(0.6)
Movements in temporary differences not recognised	(0.9)	8.6
Profit on disposal of Fox Crypto	(2.8)	—
Total tax expense	3.5	5.0

Comparatives have been restated to present Escode as a discontinued operation. See Note 16 for further details.

During the prior period, a deferred tax asset of £7.1m was generated in North America, which was derecognised. This reflected an assessment of the recoverability of the Group’s North American deferred tax assets, based on latest available forecasts and expectations of future taxable profits in the region. The decision not to recognise these assets was made in accordance with IAS 12 ‘Income Taxes’, which required that deferred tax assets be recognised only to the extent it is probable that sufficient taxable profits will be available to utilise the deductible temporary differences. As of 30 September 2024, the criteria for recognition were not met. This recognition criterion continued not to be met as at 30 September 2025, with no changes identified from the prior-period assessment during the year. The unrecognised deferred tax asset as at 30 September 2025 is £6.1m.

Financial statements
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 129

8 Taxation continued

Reconciliation of taxation continued

As this prior period derecognition related to the historical performance of our North America Cyber Security business, where the recovery in demand was less consistent than expected, it was directly tied to the prior period goodwill impairment of £31.9m at 31 May 2024 (taken to ISIs; see Note 4). The Group included this adjustment as an adjusted item within the taxation line in the Income Statement. For reconciliation to statutory measures, please see page 53. No current year impact has been noted.

The UK government introduced legislation in the Finance Bill 2021 to increase the main rate of UK corporation tax from 19% to 25% with effect from 1 April 2023. The legislation was substantively enacted on 24 May 2021 and therefore UK deferred tax balances as at the Balance Sheet date are generally measured at a rate of 25%.

Tax uncertainties

The tax expense reported for the current year and prior period is affected by certain positions taken by management where there may be uncertainty. The most significant source of uncertainty arises from claims for US R&D tax credits relating to the current and previous periods. Uncertainty relates to the interpretation of US legislation applicable to periods where the statute of limitations has not expired. As at 30 September 2025, the gross cumulative amount of US R&D tax credits amounts to £9.0m (2024: £9.5m), of which a cumulative tax benefit has been recognised of £7.6m (2024: £6.7m). The unrecognised benefit is £1.4m (2024: £2.8m).

9 Dividends

Dividend policy

Dividends are the way the Company makes distributions from the Company’s distributable reserves to shareholders. The Board determines the dividend level at each half-year reporting period (i.e. 31 March and 30 September). If an interim or final dividend is declared, the Company pays the dividend approximately eight weeks after the results announcement. A dividend is paid for each share, with the amount received depending on the number of shares owned.

	2025	2024
	£m	£m
Dividends paid and recognised in the year/period	9.2	14.5
Dividends recognised but not paid in the year/period	—	9.8
Dividends per share paid and recognised in the year/period	3.0p	4.65p
Dividends per share recognised but not paid in the year/period	—	3.15p
Dividends per share proposed but not recognised in the year/period	3.15p	1.50p

An interim dividend of £9.8m for the period ended 30 September 2024 of 3.15p per ordinary share was paid on 1 October 2024. It was recognised in the prior period but not paid until the current financial year and was therefore included within non-trade payables as at 30 September 2024 (see Note 17).

The final dividend of £4.6m for the period ended 30 September 2024 of 1.50p per ordinary share was recommended by the Board on 5 December 2024 and was subsequently paid on 4 April 2025.

The interim dividend of £4.6m for the year ended 30 September 2025 of 1.50p per ordinary share was recommended by the Board on 19 June 2025 and was subsequently paid on 1 August 2025.

The proposed final dividend for the year ended 30 September 2025 of 3.15p per ordinary share was recommended by the Board on 8 December 2025 and will be paid on 10 April 2026 to shareholders on the register at the close of business on 13 March 2026. The ex-dividend date is 12 March 2026. The dividend will be recommended to shareholders at the AGM on 3 March 2026. The dividend has not been included as a liability as at 30 September 2025.

10 (Loss)/earnings per ordinary share

	2025	2024
	£m	£m
Loss for the year/period from continuing operations	(9.1)	(67.2)
Profit for the year/period from discontinued operations	26.2	34.7
Profit/(loss) for the year/period attributable to owners of the Company	17.1	(32.5)

	Number	Number of shares
	2025	2024
	m	m
Weighted average number of shares in issue	314.8	313.3
Less: weighted average holdings by Group ESOT	(7.7)	(1.6)
Basic weighted average number of shares in issue	307.1	311.7
Dilutive effect of share options	5.2	1.5
Diluted weighted average shares in issue	312.3	313.2

NCC Group plc — Annual report and accounts for the year ended 30 September 2025130
Notes to the Financial Statements continued for the year ended 30 September 2025

10 (Loss)/earnings per ordinary share continued

For the purposes of calculating the dilutive effect of share options, the average market value is based on quoted market prices for the period during which the options are outstanding. Where losses have been reported in the current year or prior period, the diluted EPS does not include the dilutive effect of share options.# Financial statements

NCC Group plc — Annual report and accounts for the year ended 30 September 2025

11 Goodwill and intangible assets

Basic (loss)/earnings per ordinary share
From continuing operations attributable to the ordinary equity holders of the Company | (3.0) | (21.6)
From discontinued operations attributable to the ordinary equity holders of the Company | 8.5 | 11.1

Diluted (loss)/earnings per ordinary share
From continuing operations attributable to the ordinary equity holders of the Company | (3.0) | (21.6)
From discontinued operations attributable to the ordinary equity holders of the Company | 8.4 | 11.1

11 Goodwill and intangible assets

	Cost	£m
		June 2023	Additions	Disposals	Assets classified as held for sale	Effects of movements in exchange rates
At 1 June 2023	324.6	21.2	13.8	179.2	214.2	538.8
Additions	—	1.4	1.0	0.2	2.6	2.6
Disposals (see Note 31)	(5.9)	(0.6)	(9.9)	—	(10.5)	(16.4)
Assets classified as held for sale (Note 16)	(52.1)	—	(2.5)	—	(2.5)	(54.6)
Effects of movements in exchange rates	(9.4)	(0.2)	(0.1)	—	(9.4)	(9.7)
At 30 September 2024	257.2	21.8	2.3	170.0	194.1	451.3
Additions	—	0.4	—	—	0.4	0.4
Reclassification	—	(0.8)	0.2	0.6	—	—
Assets classified as held for sale (Note 16)	(110.2)	(3.8)	—	(95.1)	(98.9)	(209.1)
Effects of movements in exchange rates	—	—	0.6	1.0	1.6	1.6
At 30 September 2025	147.0	17.6	3.1	76.5	97.2	244.2

	Accumulated amortisation and impairment	£m
	June 2023	Charge for period	Impairment	Disposals	Assets classified as held for sale	Effects of movements in exchange rates
At 1 June 2023	(68.8)	(14.5)	(11.1)	(77.7)	(103.3)	(172.1)
Charge for period	—	(2.0)	(1.3)	(12.5)	(15.8)	(15.8)
Impairment	(31.9)	—	—	—	—	(31.9)
Disposals	—	—	8.8	—	8.8	8.8
Assets classified as held for sale (Note 16)	—	—	2.4	—	2.4	2.4
Effects of movements in exchange rates	—	—	0.1	2.9	3.0	3.0
At 30 September 2024	(100.7)	(16.5)	(1.1)	(87.3)	(104.9)	(205.6)
Charge for year	—	(1.4)	(0.7)	(8.1)	(10.2)	(10.2)
Assets classified as held for sale (Note 16)	—	1.8	—	21.0	22.8	22.8
Effects of movements in exchange rates	—	—	(0.4)	(0.9)	(1.3)	(1.3)
At 30 September 2025	(100.7)	(16.1)	(2.2)	(75.3)	(93.6)	(194.3)

	Net book value	£m
At 30 September 2024	156.5	5.3	1.2	82.7	89.2	245.7
At 30 September 2025	46.3	1.5	0.9	1.2	3.6	49.9

Financial statements

NCC Group plc — Annual report and accounts for the year ended 30 September 2025

131 11 Goodwill and intangible assets continued

Cash generating units (CGUs)

Goodwill and intangible assets are allocated to CGUs in order to be assessed for potential impairment. CGUs are defined by accounting standards as the lowest level of asset groupings that generate separately identifiable cash inflows that are not dependent on other CGUs. The CGUs presented are consistent with the year ended 30 September 2024, with the exception of the Fox Crypto CGU, which was disposed of during the year (with associated goodwill of £52.1m classified as held for sale as at 30 September 2024). The CGUs and the allocation of goodwill to those CGUs are shown below:

Goodwill	Goodwill	£m
	2025	2024
Cash generating units – continuing operations
UK and APAC Cyber Security	44.3	44.3
North America Cyber Security	—	—
Europe Cyber Security	2.0	2.2
Total Cyber Security	46.3	46.5

The Escode division, which was classified as a discontinued operation during the year, includes the following CGUs and associated allocated goodwill:

Goodwill	Goodwill	£m
	2025	2024
Cash generating units – discontinued operations
UK Escode	22.8	22.8
North America Escode	80.0	80.1
Europe Escode	7.4	7.1
Total Escode	110.2	110.0

Impairment review

Goodwill is tested for impairment annually at the level of the CGU to which it is allocated. An impairment review was carried out at 30 September 2025. The recoverable amount of all CGUs was measured on a fair value less costs to sell basis. Capitalised development and software costs are included in the CGU asset bases when performing the impairment review. Capitalised development projects and software intangible assets are also considered, on an asset-by-asset basis, for impairment where there are indicators of impairment.

Fair value less costs to sell

The methodology described below has been applied consistently for the impairment reviews carried out as at 30 September 2024 and 30 September 2025. The recoverable amount of all CGUs has been determined on a fair value less costs to sell basis for the purposes of the impairment review. The valuation under FVLCTS is expected to exceed the valuation under VIU because uncommitted restructurings and resulting operating efficiencies are not considered within a VIU valuation in line with the requirements of IAS 36. The FVLCTS valuation of each standalone CGU has been calculated by determining sustainable earnings, which are based on the Adjusted EBITDA ¹, and applying a reasonable market multiple on the calculated sustainable earnings. Estimated sustainable earnings have been determined taking into account a Board-approved forecast which considers past performance. The sustainable earnings used include expectations based on a market participant view of sustainable performance of the business based on market volatility and uncertainty as at the Balance Sheet date. The sustainable earnings input is a level 3 measurement; level 3 measurements are inputs which are normally unobservable to market participants. The Group incurs certain overhead costs in respect of support services provided centrally to the CGUs. Such support services include Finance, Human Resources, Legal, Information Technology and additional central management support in respect of stewardship and governance. In calculating sustainable earnings these overhead costs have been allocated to the CGUs based on the extent to which each CGU has benefited from the services provided. Commonly this is driven by time spent by the relevant central department in supporting the CGU, informed by headcount or where possible specific cost allocations have been made. The Adjusted EBITDA ¹ multiple used in the calculations is based on an independent third party assessment of the implied enterprise value of each CGU based on a population of comparable companies as at the Balance Sheet date. The estimated cost to sell was based on other recent transactions that the Group has undertaken.

Current year impairment

The Board assessed the recoverable amount of each CGU using fair value less costs to sell as at 30 September 2025, applying the methodology described above. In all cases, the recoverable amount exceeded the carrying amount, and no impairment losses have been recognised for the year ended 30 September 2025.

Current year sensitivity analysis – impairment

The FVLCTS valuation of each standalone CGU has been calculated by determining sustainable earnings, based on Adjusted EBITDA¹, and applying a reasonable market multiple. The sustainable earnings figures include a key assumption regarding achieving forecast revenue within each CGU assessment. The Board has reviewed sensitivity analysis on the FVLCTS calculations for each CGU, considering reasonably possible changes in the key assumption of revenue. Assuming a 10% shortfall in forecast revenue (after factoring in controllable variable cost reductions and maintaining margins), no material impairment would arise.

NCC Group plc — Annual report and accounts for the year ended 30 September 2025

132 Notes to the Financial Statements continued

for the year ended 30 September 2025

11 Goodwill and intangible assets continued

Fair value less costs to sell continued

Prior period impairment

In the prior period the Board assessed the recoverable amount of the North America Cyber Security CGU based on its FVLCTS as at 31 May 2024 as described above. Based on that assessment, the carrying amount of this CGU exceeded its recoverable amount and therefore an impairment loss of £31.9m was recognised, reducing the value of goodwill allocated to this CGU to £nil. This impairment relates to our North America Cyber Security business, as the recovery in demand was less consistent than expected. This amount was recognised as an Individually Significant Item (see Note 4). The impairment charge recognised resulted in a reduction in the carrying value of goodwill only.

Prior period sensitivity analysis – impairment

The FVLCTS valuation of each standalone CGU has been calculated by determining sustainable earnings, which are based on the Adjusted EBITDA ¹, and applying a reasonable market multiple on the calculated sustainable earnings. The sustainable earnings figures used in this calculation include a key assumption regarding a sustainable gross margin percentage for the business. The table below shows the sensitivity of headroom to reasonably possible changes in the key assumptions, by reflecting the additional impairment that would have been required from a decrease in gross margin of 0.5 percentage points. This additional impairment would have been after the £31.9m impairment in the North America Cyber Security CGU during May 2024. As goodwill has been impaired to £nil, any further impairment would be applied to other assets allocated to the CGU.

Decrease in gross margin of 0.5 percentage points	CGU	£m
	North America Cyber Security	2.9

As the goodwill in the North America Cyber Security CGU was fully impaired as at 31 May 2024, no further sensitivity analysis was provided as at 30 September 2024. With the exception of the North America Cyber Security CGU, the Board did not identify any reasonably possible changes in the key assumptions that would cause the carrying values of the other CGUs to exceed their respective recoverable amounts at 30 September 2024.

Prior period goodwill reallocation

During June 2024, as part of the expected disposal of the Fox Crypto B.V. entity, the Group reorganised its reporting structure to separate out the Fox Crypto entity from the Europe Cyber Security CGU. On this basis the Europe Cyber Security goodwill was reallocated between the newly created Fox Crypto CGU and the remaining Europe Cyber Security CGU.Goodwill was reallocated based on relative values of the two CGUs, but having made adjustment to reflect that the Fox Crypto CGU is less asset intensive than the remaining Europe Cyber Security CGU. The value of each CGU was based on FVLCTS. For the Fox Crypto CGU, the FVLCTS was based on the expected consideration to be received on disposal (see Note 18 of the 2024 Annual Report and Accounts) of this business less estimated selling costs. For the remaining Europe Cyber Security CGU the fair value was calculated using a methodology consistent with that used in the goodwill impairment review and described above. Based on this assessment, goodwill of £51.9m was reallocated to the Fox Crypto CGU, leaving £2.2m as reallocated to the EU Cyber Security CGU. Goodwill reallocated to the Fox Crypto CGU was reclassified to assets held for sale (see Note 16). There was no change in the allocated goodwill following completion of the disposal in the current year.

Prior period sensitivity analysis – goodwill reallocation

The FVLCTS valuation of each standalone CGU was calculated by determining sustainable earnings, which were based on the Adjusted EBITDA¹, and applying a reasonable market multiple on the calculated sustainable earnings. The sustainable earnings figures used in this calculation included a key assumption regarding forecast revenue for the business. The table below shows the sensitivity of the goodwill reallocation to reasonably possible changes in the key assumptions, by reflecting the additional goodwill that would have been allocated to the Europe Cyber Security CGU from an increase in revenue of 5% with no increased costs. This additional goodwill would be after the allocation of £2.2m of goodwill to the Europe Cyber Security CGU.

CGU	5% increase in revenue £m
Europe Cyber Security	13.3

¹ Adjusted EBITDA is an Alternative Performance Measure (APM) and not an IFRS measure. See Appendix 1 for an explanation of APMs and adjusting items, including a reconciliation to statutory information.

Financial statements
NCC Group plc — Annual report and accounts for the year ended 30 September 2025
133

12 Property, plant and equipment

	Fixtures, fittings and equipment	Assets under construction	Computer equipment	Total
£m	£m	£m	£m
Cost
At 1 June 2023	27.5	20.4	—	47.9
Additions	3.8	2.4	—	6.2
Disposals	(0.1)	(0.2)	—	(0.3)
Assets classified as held for sale (Note 16)	(1.1)	(1.2)	—	(2.3)
Movement in foreign exchange rates	(0.3)	(0.2)	—	(0.5)
At 30 September 2024	29.8	21.2	—	51.0
Additions	2.6	0.5	1.6	4.7
Disposals	—	(1.8)	—	(1.8)
Assets classified as held for sale (Note 16)	(1.1)	(0.2)	—	(1.3)
Movement in foreign exchange rates	(0.8)	—	—	(0.8)
At 30 September 2025	30.5	19.7	1.6	51.8
Accumulated depreciation
At 1 June 2023	(23.0)	(12.4)	—	(35.4)
Charge for period	(3.4)	(2.0)	—	(5.4)
Impairment	—	(0.4)	—	(0.4)
On disposals	0.1	0.1	—	0.2
Assets classified as held for sale (Note 16)	0.9	0.3	—	1.2
Movement in foreign exchange rates	0.2	0.2	—	0.4
At 30 September 2024	(25.2)	(14.2)	—	(39.4)
Charge for year	(2.7)	(1.6)	—	(4.3)
On disposals	—	0.6	—	0.6
Assets classified as held for sale (Note 16)	1.0	0.1	—	1.1
Movement in foreign exchange rates	0.6	0.1	—	0.7
At 30 September 2025	(26.3)	(15.0)	—	(41.3)
Net book value
At 30 September 2024	4.6	7.0	—	11.6
At 30 September 2025	4.2	4.7	1.6	10.5

NCC Group plc — Annual report and accounts for the year ended 30 September 2025
134

Notes to the Financial Statements continued for the year ended 30 September 2025

13 Right-of-use assets

	Land and buildings	Motor vehicles	Total
£m	£m	£m
Cost
At 1 June 2023	36.3	6.0	42.3
Additions	5.2	4.2	9.4
Disposals	—	(1.7)	(1.7)
Impairment	(3.2)	—	(3.2)
Assets classified as held for sale	—	(0.4)	(0.4)
At 30 September 2024	38.3	8.1	46.4
Additions	4.7	1.8	6.5
Disposals	(1.4)	(2.0)	(3.4)
Impairment	(0.3)	—	(0.3)
Reversal of impairment	0.2	—	0.2
Assets classified as held for sale	(5.9)	(0.2)	(6.1)
At 30 September 2025	35.6	7.7	43.3
Accumulated depreciation
At 1 June 2023	(19.0)	(4.7)	(23.7)
Charge for period	(5.6)	(2.5)	(8.1)
Disposals	—	1.1	1.1
At 30 September 2024	(24.6)	(6.1)	(30.7)
Charge for year	(3.8)	(1.7)	(5.5)
Disposals	1.3	1.3	2.6
Assets classified as held for sale	3.9	0.2	4.1
At 30 September 2025	(23.2)	(6.3)	(29.5)
Net book value
At 30 September 2024	13.7	2.0	15.7
At 30 September 2025	12.4	1.4	13.8

14 Trade and other receivables

	Group	Group	Company	Company
£m	2025	2024	2025	2024
Current
Trade receivables	14.1	17.3	—	—
Prepayments	9.7	12.6	—	—
Contract costs – costs to obtain (see Note 21)	3.5	1.2	—	—
Contract costs – costs to fulfil (see Note 21)	3.5	—	—	—
Other receivables	1.0	1.1	—	—
Non-current
Amounts owed by Group undertakings	—	—	34.2	43.1
Total	31.8	32.2	34.2	43.1
Disclosed as follows:
Current assets	31.8	32.2	—	—
Non-current assets	—	—	34.2	43.1
	31.8	32.2	34.2	43.1

The carrying value of trade and other receivables classified at amortised cost approximates fair value. No material credit losses have been recognised in respect of amounts owed by Group undertakings (Parent Company only) in the period (2024: £nil). Amounts owed by Group undertakings in the Parent Company Balance Sheet have been disclosed as repayable after more than one year. Although these are repayable on demand, the disclosure as non-current is based on management’s expectation of the timing of repayment.

Financial statements
NCC Group plc — Annual report and accounts for the year ended 30 September 2025
135

14 Trade and other receivables continued

The ageing of trade receivables and other receivables at the end of the reporting year was:

	Expected credit losses	Expected credit losses	Gross	Net	Gross	Net
	2025	2024	2025	2025	2024	2024
Group £m			£m	£m	£m	£m
Trade receivables:
Not past due	10.5	13.8	10.5	13.8
Past due 0–30 days	2.1	2.1	2.1	2.1
Past due 31–90 days	0.9	0.7	0.9	0.7
Past due more than 90 days	1.3	2.3	0.6	0.7
	14.8	18.9	14.1	17.3
Other receivables:
Not past due	1.0	1.1	1.0	1.1
Total	15.8	20.0	15.1	18.4

* Prior period comparative ageing analysis has been restated following a review which identified that the 2024 analysis was prepared based on invoice date rather than due date. The Company had no trade receivables (2024: £nil). The standard period for credit sales varies from 30 days to 60 days. The Group assesses the creditworthiness of all trade debts on an ongoing basis providing for expected credit losses in line with IFRS 9. The Group has considered credit risk rating grades; these are based on the ageing categories above. New customers are subject to stringent credit checks.

The movement in the expected credit losses of trade and other receivables (being the credit losses recognised on financial assets, specifically trade receivables) is as follows:

	Expected credit loss provision £m
Balance at 1 June 2023	(2.0)
Provision utilised during the period	0.4
Balance at 30 September 2024	(1.6)
Transferred to assets held for sale	0.9
Balance at 30 September 2025	(0.7)

15 Deferred tax assets and liabilities (Group)

Deferred tax assets and liabilities on the Consolidated Balance Sheet are offset in accordance with IAS 12. A summary of this, offset with significant jurisdictions, is shown for the Group (including discontinued operations) below:

	UK	US	Netherlands	Total
2025	£m	£m	£m	£m
Asset/(liability)
Plant and equipment	—	—	0.2	0.2
Short-term temporary differences	0.4	6.3	—	6.7
IFRS 16 assets	—	—	0.1	0.1
Intangible assets	(0.6)	(6.3)	(0.5)	(7.4)
Share-based payments	1.2	—	—	1.2
Tax losses	—	—	—	—
Deferred tax asset/(liability)	1.0	—	(0.2)	0.8
Analysed as follows:
Non-current assets	1.0	—	—	1.0
Non-current liabilities	—	—	(0.2)	(0.2)

NCC Group plc — Annual report and accounts for the year ended 30 September 2025
136

Notes to the Financial Statements continued for the year ended 30 September 2025

15 Deferred tax assets and liabilities (Group) continued

	UK	US	Netherlands	Total
2024	£m	£m	£m	£m
Asset/(liability)
Plant and equipment	—	—	0.3	0.3
Short-term temporary differences	0.5	3.1	—	3.6
Intangible assets	(0.8)	(3.1)	(0.8)	(4.7)
Share-based payments	0.9	—	—	0.9
Tax losses	—	—	—	—
Deferred tax asset/(liability)	0.6	—	(0.5)	0.1
Analysed as follows:
Non-current assets	0.6	—	—	0.6
Non-current liabilities	—	—	(0.5)	(0.5)

Movement in deferred tax during the year:

	Recognised in Income Statement £m	Exchange differences £m	Recognised in equity £m	Acquisition £m	30 September 2025 £m
2025
Plant and equipment	(0.1)	—	—	—	0.2
Short-term temporary differences	3.1	—	—	—	6.7
IFRS 16 assets	0.1	—	—	—	0.1
Intangible assets	(2.6)	(0.1)	—	—	(7.4)
Share-based payments	0.2	—	0.1	—	1.2
Total	0.7	(0.1)	0.1	—	0.8

	Recognised 1 June 2023 £m	Income Statement £m	Exchange differences £m	Recognised in equity £m	Acquisition £m	30 September 2024 £m
2024
Plant and equipment	0.2	0.1	—	—	—	0.3
Short-term temporary differences	9.1	(5.7)	0.2	—	—	3.6
IFRS 16 assets/(liabilities)	0.5	(0.5)	—	—	—	—
Intangible assets	(10.7)	5.8	0.2	—	—	(4.7)
Share-based payments	0.5	0.4	—	—	—	0.9
Tax losses	1.9	(1.9)	—	—	—	—
Total	1.5	(1.8)	0.4	—	—	0.1

In the year ended 30 September 2025 (as in the period ended 30 September 2024), the Group (including the Escode division) has not recognised a deferred tax asset in relation to tax losses (and certain other North American temporary differences) as management does not consider it probable that future taxable profits will be available against which they may be offset. The Group has not recognised a deferred tax asset on any element of £43.4m (2024: £19.9m) of tax losses carried forward in the United Kingdom (£8.2m), Denmark (£4.2m), Australia (£5.4m), Japan (£0.2m) and United States state taxes (£25.4m) due to current uncertainties over their future recoverability (and in the case of certain United Kingdom/United States losses because of specific legislative restrictions).# Financial statements

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 137

16 Discontinued operations and assets and liabilities held for sale

Current year – Escode

In February 2023, the Group announced the commencement of a strategic review of its Escode business and other core and non-core assets. The review of the Escode business was subsequently stopped in June 2023. During the year ended 30 September 2025, the Group confirmed that it was exploring a number of options for its Escode business, including a potential sale. The Group initiated an active programme to locate a buyer for Escode during the year. On this basis, as at 30 September 2025, the sale of Escode was considered highly probable and therefore the associated assets and liabilities were reclassified as held for sale as at 30 September 2025. As the conditions for classification as “held for sale” were met, and given that Escode represents a separate major line of business within the Group, it is presented as a discontinued operation. The financial performance and cash flow information relating to discontinued operations for the year ended 30 September 2025, including comparative figures, is presented below.

Year ended 30 September 2025	16 month period ended 30 September 2024
£m	£m
Discontinued operations
Revenue (Note 3)	66.5
Cost of sales	(19.0)
Gross profit	47.5
Administrative expenses
Individually Significant Items	—
Depreciation and amortisation	(6.0)
Other administrative expenses	(9.8)
Total administrative expenses	(15.8)
Operating profit	31.7
Finance costs	(0.1)
Profit before taxation	31.6
Tax expense (Note 8)	(5.4)
Profit for the year/period from discontinued operations	26.2
Exchange differences on translation of discontinued operations	(0.1)
Other comprehensive income from discontinued operations	26.1
Net cash inflow from operating activities	39.6
Net cash outflow from investing activities	(0.3)
Net cash outflow from financing activities	(37.4)
Net increase/(decrease) in cash generated by the discontinued operations	1.9

	£m
	87.4
	(26.7)
	60.7

	(0.1)
	(7.7)
	(14.7)
	(22.5)
	38.2
	(0.1)
	3 8 .1
	(3.4)
	34.7
	(10.2)
	24.5
	37.0
	(1.6)
	(37. 0)
	(1.6)

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 138

Notes to the Financial Statements continued for the year ended 30 September 2025

16 Discontinued operations and assets and liabilities held for sale continued

Current year – Escode continued

The following assets and liabilities were reclassified as held for sale in relation to discontinued operations as at 30 September 2025:

30 September 2025	£m
Assets classified as held for sale:
Goodwill	110.
Intangible fixed assets	76.1
Tangible fixed assets	0.2
Right-of-use assets	2.0
Trade and other receivables	5.1
Cash and cash equivalents	3.9
Contract assets	0.5
Total assets classified as held for sale	198.0
Liabilities associated with assets classified as held for sale:
Lease liabilities	(3.0)
Trade and other payables	(6.2)
Provisions	(0.3)
Deferred revenue	(24.7)
Current tax liability	(5.6)
Total liabilities associated with assets classified as held for sale	(39.8)

Prior period – Fox Crypto B.V.

On 1 August 2024, the Group announced the disposal of Fox Crypto B.V. for an initial expected gross consideration of €77.3m to CR Group Nordic AB. As at 30 September 2024, the disposal was yet to be finalised; however, the sale of this business was considered highly probable and, accordingly, Fox Crypto’s assets and liabilities were reclassified as held for sale as at 30 September 2024. Fox Crypto B.V. did not meet the definition of discontinued operations. On 28 March 2025, the Group completed the disposal of its entire 100% interest in Fox Crypto, a foreign operation, for total cash consideration of £65.6m. Following completion, all assets and liabilities held for sale were derecognised. The Group did not retain any interest in Fox Crypto, and no contingent consideration was recognised. For further details on the disposal see Note 31.

The table below sets out the assets held for sale balances as at 30 September 2024:

30 September 2024	£m
Assets classified as held for sale:
Goodwill	51.9
Intangible fixed assets	0.1
Right-of-use assets	0.4
Property, plant and equipment	1.1
Inventories	0.6
Trade and other receivables	4.3
Contract assets	3.1
Total assets classified as held for sale	61.5
Liabilities associated with assets classified as held for sale:
Trade and other payables	(1.4)
Deferred revenue	(3 .1)
Lease liabilities	(0.4)
Provisions	(0.8)
Total liabilities associated with assets classified as held for sale	(5.7)

Financial statements NCC Group plc — Annual report and accounts for the year ended 30 September 2025 139

17 Trade and other payables

	Group	Group	Company	Company
	2025	2024	2025	2024
	£m	£m	£m	£m
Trade payables	4.6	4.6	—	—
Non-trade payables	5.5	17.5	—	9.8
Accruals	33.0	24.7	—	—
Amounts owed to Group companies	—	—	—	0.1
Total	43.1	46.8	—	9.9

The carrying value of trade and other payables classified as financial liabilities measured at amortised cost approximates fair value.

18 Lease liabilities

	Land and buildings	Motor vehicles	Total
	£m	£m	£m
At 1 June 2023	26.3	3.7	30.0
Additions	4.7	4.2	8.9
Disposals	—	(0.7)	(0.7)
Lease payments	(9.2)	(2.7)	(11.9)
Interest expense	1.3	0.4	1.7
Liabilities classified as held for sale	—	(0.4)	(0.4)
At 30 September 2024	23 .1	4.5	27.6
Additions	2.9	1.6	4.5
Disposals	(2.3)	(0.5)	(2.8)
Lease payments	(5.8)	(2.1)	(7.9)
Interest expense	0.9	0.2	1.1
Liabilities classified as held for sale	(3.0)	—	(3.0)
At 30 September 2025	15.8	3.7	19.5

Analysed as follows:

	2025	2024
	£m	£m
Current	4.1	5.7
Non-current	15.4	21.9

The maturity of lease liabilities is as follows:

	2025	2024
	£m	£m
Less than one year	4.1	5.7
Two to five years	11.0	16 .1
More than five years	4.4	5.8
Total lease liabilities	19.5	27.6

The total cash outflow for leases in the year was £7.9m (2024: £11.9m), which consists of £6.8m (2024: £10.2m) principal element of lease payments disclosed above, £1.1m (2024: £1.7m) interest element of lease payments and £nil (2024: £nil) lease payments charged to the Income Statement in respect of short-term leases. The Group has used its incremental borrowing rate of 6.53% (2024: 6.35%) as the discount rate for the calculation of the lease liabilities. Some leases contain break clauses or extension options to provide operational flexibility. Potential future undiscounted lease payments not included in the reasonably certain lease term, and hence not included in lease liabilities, total £1.2m (2024: £4.6m).

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 140

Notes to the Financial Statements continued for the year ended 30 September 2025

19 Provisions

	Onerous property costs	Loss-making contracts	Other provisions	Total
	£m	£m	£m	£m
Balance at 1 June 2023	1.0	1.4	0.3	2.7
Provisions created in the period	0.3	3.0	0.1	3.4
Provisions released during the period	—	(0.2)	—	(0.2)
Provisions utilised during the period	(0.5)	(1.0)	(0.3)	(1.8)
Transferred to assets held for sale	(0.8)	—	—	(0.8)
Balance at 30 September 2024	—	3.2	0.1	3.3
Provisions created in the year	—	1.3	—	1.3
Provisions released during the year	—	(1.2)	—	(1.2)
Provisions utilised during the year	—	(0.8)	(0.1)	(0.9)
Transferred to assets held for sale	—	(0.3)	—	(0.3)
Balance at 30 September 2025	—	2.2	—	2.2

Analysed as follows (2025):

	Current	Non-current
	£m	£m
	—	0.3

Analysed as follows (2024):

	Current	Non-current
	£m	£m
	—	1.3

The onerous property costs provision relates to unused and closed office spaces within the Group’s property portfolio. The onerous property provision of £2.2m (2024: £3.2m) at 30 September 2025 includes £0.5m (2024: £2.0m) of non-rental costs relating to the onerous properties including service charges and insurance, as well as the estimated costs of disposing of or terminating these leases, which includes rent incentives and letting fees. The provision at 30 September 2025 also includes estimated dilapidations liabilities of £1.7m (2024: £1.2m) relating to the Group’s leased premises. Both of these provisions are expected to unwind over the period of the relevant leases (2026–2035). Other provisions are £nil in the year ended 30 September 2025 (2024: £0.1m). These comprised accrued redundancy costs relating to the implementation of the reorganisation to which the Group was committed as of 30 September 2024. These costs were settled within the year ended 30 September 2025.

20 Contract liabilities – deferred revenue

Deferred revenue represents advanced consideration received from customers, for which revenue is recognised over time.# Financial statements

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 141

21 Contract assets

The following table provides information about receivables and contract assets from contracts with customers.

Group		Group
2025	2024	2025	2024
£m	£m	£m	£m
Receivables, which are included in trade and other receivables	14	14.1	17.
Contract assets – accrued income	19.4	2	0.1
Contract costs – costs to fulfil	14	3.5	—
Contract costs – costs to obtain	14	3.5	1.2

The Group has recognised £19.4m of contract assets (2024: £20.1m). All contract assets for the current year and the comparative period are presented within current assets. The ageing of contract assets at the end of the reporting year was:

Group	Expected Gross credit losses	Expected Net	Gross credit losses	Net
2025	2025	2025	2024	2024
£m	£m	£m	£m	£m
Contract assets:
Not past due	20.1	(0.7)	19.4	21.1
Total	20.1	(0.7)	19.4	21.1

The movement in the expected credit losses of contract assets (being the credit losses recognised on financial assets, specifically contract assets) is as follows:

Expected credit loss provision £m

Balance at 1 June 2023 (0.2)
Charged to the Income Statement (0.8)
Balance at 30 September 2024 (1.0)
Provision utilised during the year 0.3
Balance at 30 September 2025 (0.7)

Accrued income of £19.4m (2024: £20.1m) is the Group’s rights to consideration for work completed but not billed at the reporting date. The contract assets accrued in the prior year of £20.1m were fully recognised as trade receivables during the year ended 30 September 2025. Therefore, the balances as at 30 September 2025 were fully accrued during the year and will be transferred to receivables when the rights become unconditional. Expected credit losses of £0.7m (2024: £1.0m) have been recognised in respect of contract assets. The contract assets are transferred to receivables when the rights become unconditional. This usually occurs when the Group issues an invoice to the customer. Invoices usually become payable within 30 days. The contract costs to obtain of £3.5m (2024: £1.2m) represent incremental sales commissions to obtain specific contracts and are amortised over the length of the contract. Contract costs comprise (i) incremental costs of obtaining contracts of £3.5m (2024: £1.2m), which are expected to be recovered through future revenue, and (ii) costs to fulfil contracts of £3.5m (2024: £nil), which relate directly to future performance obligations and are expected to be recovered.

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 142

Notes to the Financial Statements continued for the year ended 30 September 2025

22 Cash and cash equivalents and borrowings

Cash and cash equivalents

	Group		Company
	2025	2024	2025	2024
	£m	£m	£m	£m
Cash and cash equivalents	12.5	29.8	—	9.8
Bank overdraft	—	(13.6)	—	—
Total cash at bank and in hand	12.5	16.2	—	9.8

Borrowings are analysed as follows:

	Group		Group		Company		Company
	2025	2024	2025	2024	2025	2024	2025	2024
	Maturity	£m	£m	£m	£m	£m	£m	£m
Non-current liabilities
Revolving credit facility	2029	3.3	61.5	—	—	—	—	—
Total borrowings		3.3	61.5	—	—	—	—	—

The maturity profile is as follows:

	Group		Group		Company		Company
	2025	2024	2025	2024	2025	2024	2025	2024
	£m	£m	£m	£m	£m	£m	£m	£m
Two to five years	3.3	61.5	—	—

The RCF is drawn in short to medium-term tranches of debt that are repayable within 12 months of drawdown. These tranches can be rolled over, provided certain conditions are met, including compliance with all loan terms. As at the year end, the Group has assessed its compliance with these conditions and considers it highly likely that it will continue to meet all requirements and be able to exercise its right to roll over the debt. The Directors believe the Group has both the ability and intent to roll over the drawn RCF amounts when due and, accordingly, have presented the RCF as a non-current liability in line with applicable IFRIC guidance. In April 2025, the Group entered into a four year £120m multi-currency revolving credit facility replacing the previous £162.5m multi-currency revolving credit facility. Key terms of the facility are:

A £120m multi-currency revolving credit facility maturing in April 2029.
An additional £50m uncommitted accordion option, subject to bank approval.
In line with the previous facility, a net leverage covenant of 3.0x with an additional acquisition spike to 3.5x for up to 12 months of the date of any acquisition.
The bank margin is payable on a ratchet mechanism, with a margin payable above SONIA and SOFR in the range of 1.35% to 2.35% (previously 1.00% to 2.25%) depending on the level of the Group’s leverage. The weighted average interest rate is 6.16% for the year ended 30 September 2025 (2024: 6.21%).
At the date of refinancing, unamortised arrangement fees relating to the previous RCF remained outstanding as the facility was refinanced before the end of its original term. The refinancing did not result in a substantial modification under IFRS 9. Accordingly, arrangement fees from the previous refinancing in December 2022 have been carried forward and are being amortised over the life of the new RCF term (four years to April 2029), together with new arrangement fees of £1.1m incurred directly with the lenders on refinancing.
Certain subsidiaries of the Group act as guarantors to the new facility to provide coverage based on aggregate Adjusted EBITDA¹ and gross assets.

As at 30 September 2025, the Group had committed bank facilities of £120m (2024: £162.5m), of which £5.2m (2024: £62.4m) had been drawn, leaving £114.8m (2024: £100.1m) of undrawn facilities. Unamortised arrangement fees of £1.9m (2024: £0.9m) have been offset against the amounts drawn down, resulting in a carrying value of borrowings at 30 September 2025 of £3.3m (2024: £61.5m). The fair value of borrowings is not materially different to its amortised cost.

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 143

Notes to the Financial Statements continued

23 Financial instruments

Loans and borrowings

	Group		Group		Company		Company
	2025	2024	2025	2024	2025	2024	2025	2024
	£m	£m	£m	£m	£m	£m	£m	£m
Non-current
Variable rate:
Revolving credit facility	(3.3)	(61.5)			—	—
Total loans and borrowings (excluding lease liabilities)	(3.3)	(61.5)			—	—
Current
Cash	12.5	29.8			—	9.8
Bank overdraft	—	(13.6)			—	—
Net cash/(debt)¹	9.2	(45.3)			—	9.8
Non-current Lease liabilities	(15.4)	(21.9)			—	—
Current Lease liabilities	(4.1)	(5.7)			—	—
Net (debt)/cash¹	(10.3)	(72.9)			—	9.8

Lease liabilities of £3.0m classified as held for sale in Note 16 have been excluded from the net debt calculation.

¹ Revenue at constant currency, Adjusted EBITDA and net debt excluding lease liabilities are Alternative Performance Measures (APMs) and not IFRS measures. See Appendix 1 for an explanation of APMs and adjusting items, including a reconciliation to statutory information.

Reconciliation of movements in liabilities to cash flows arising from financing activities

	2025	2024
Group	£m	£m
Revolving credit facility/bank term loan:
Drawdown on facility	21.1	57.8
Repayment of facility	(80.3)	(75.0)
Release of deferred arrangement fees	0.2	0.6
Foreign exchange movement	0.8	(3.8)
Movement in borrowings	(58.2)	(20.4)
IFRS 16 lease liability:
New leases entered into	4.5	8.9
Disposals	(2.8)	(0.7)
Principal element of lease payments	(6.8)	(10.2)
Lease liabilities held for sale (see Note 16)	(3.0)	(0.4)
Movement in lease liabilities	(8.1)	(2.4)

Financial risk management

The Group has exposure to the following risks from its use of financial instruments:

Credit risk
Liquidity risk
Currency risk
Interest rate risk

The Board has overall responsibility for establishing appropriate management of exposure to risk. The Audit Committee oversees how management identifies and addresses risks to the Group.

Capital management

The Board’s policy is to maintain a strong capital base so as to maintain investor, creditor and market confidence and to sustain future development of the business. The Group monitors capital on the basis of the gearing ratio. This ratio is calculated as net cash/(debt)² divided by total capital. Net cash/(debt)¹ is calculated as total borrowings as shown in the Consolidated Balance Sheet, less cash and cash equivalents. Total capital is calculated as equity, as shown in the Consolidated Balance Sheet, plus net debt¹. As at 30 September 2025 the Group’s gearing ratio was nil (2024: 17.8%).

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 144

Notes to the Financial Statements continued

23 Financial instruments continued

Financial instruments policy

All instruments utilised by the Company and Group are for financing purposes.# 23 Financial instruments

The financial management and treasury activities of the Group are controlled centrally for all operations with local finance teams responsible for day-to-day banking activities.

Fair value of financial instruments

As at 30 September 2025, the Group and Company had no other financial instruments other than those disclosed below. In addition, no embedded derivatives have been identified. There have been no transfers between levels in the year.

The following table presents the Group’s financial assets and liabilities that are measured at fair value by level of fair value hierarchy:

Quoted prices (unadjusted) in active markets for identical assets or liabilities (level 1)
Inputs other than quoted prices included within level 1 that are observable for the asset or liability, either directly (that is, as prices) or indirectly (that is, derived from prices) (level 2)
Inputs for the asset or liability that are not based on observable market data (unobservable inputs) (level 3)

Borrowings are held at amortised cost, which is considered to equate to fair value. All other assets and liabilities are held at either fair value or their carrying value, which approximates to fair value.

	Level 1	Level 2	Level 3	Level 1	Level 2	Level 3
	£m	£m	£m	£m	£m	£m
2025
Financial liabilities at fair value through profit or loss	—	—	—	—	0.8	—
Financial assets at fair value through profit or loss	—	0.9	—	—	—	—
Total financial asset/liabilities	—	0.9	—	—	0.8	—
2024

At 30 September 2025, the Group holds derivatives (financial assets) with a mark to market valuation of £0.9m (2024 financial liabilities: £0.8m) to mitigate currency risk, as described in Note 23.

Credit risk

Credit risk is the risk of financial loss to the Group if a customer or counterparty to a financial instrument fails to meet its contractual obligations and arises principally from the Group’s receivables from customers. The Group’s exposure to credit risk is influenced mainly by the individual characteristics of each customer.

Exposure to credit risk

The carrying value of financial assets represents the maximum credit exposure. The maximum exposure to credit risk at the reporting date was:

	Group 2025	Group 2024	Company 2025	Company 2024
	£m	£m	£m	£m
Trade receivables	14.1	17.3	—	—
Other receivables	1.0	1.1	—	—
Amounts owed by Group undertakings	—	—	34.2	43.1
Contract assets	19.4	20.1	—	—
Cash and cash equivalents	12.5	29.8	—	9.8
Total	47.0	68.3	34.2	52.9

The maximum exposure to credit risk for trade receivables and other receivables at the reporting date by geographic region was:

	Group 2025	Group 2024	Company 2025	Company 2024
	£m	£m	£m	£m
Trade and other receivables by geographical segment
UK	6.8	8.0	—	—
APAC	0.7	1.1	—	—
North America	5.1	4.9	—	—
Europe	2.5	4.4	—	—
Total	15.1	18.4	—	—

The maximum exposure to credit risk for trade and other receivables at the reporting date by business segment was:

	Group 2025	Group 2024	Company 2025	Company 2024
	£m	£m	£m	£m
Trade and other receivables by business segment
Cyber Security	14.8	15.7	—	—
Escode	—	2.5	—	—
Central and head office	0.3	0.2	—	—
Total	15.1	18.4	—	—

The trade receivables of the Group typically comprise many amounts due from a large number of customers and represent a spread of industry sectors. The largest amount due from a single customer at the reporting date represented 3.0% (2024: 2.5%) of total Group receivables. All of the Group’s cash is held with financial institutions of high credit rating. The provisions in respect of trade receivables are used to record expected credit losses. The Group has dedicated credit control teams, which regularly review customer debt balances to assess the risk of recovery.

Liquidity risk

Liquidity risk is the risk that the Group will not be able to meet its financial obligations as they fall due. The Group manages and minimises liquidity risk by using global cash management solutions and actively monitoring both actual and projected cash outflows to ensure that it will have sufficient liquidity to meet its liabilities when due and have headroom to provide against unforeseen obligations. Longer term, the Group has assessed its liquidity forecast as part of the viability assessment and its ability to continue trading as a going concern. For further detail on the Group’s assessment of liquidity risk refer to the Viability Statement on pages 38 and 39.

The following are the undiscounted contractual maturities of financial liabilities, including interest payments, of the Group:

At 30 September 2025

	Carrying amount	Contractual cash flows	<1 year	1–2 years	2–5 years	5+ years
	£m	£m	£m	£m	£m	£m
Borrowings	(3.3)	(6.1)	(0.3)	(0.3)	(5.5)	—
Lease liabilities	(19.5)	(16.7)	(3.3)	(3.7)	(5.7)	(4.0)
Trade and other payables	(43.1)	(43.1)	(43.1)	—	—	—

At 30 September 2024

	Carrying amount	Contractual cash flows	<1 year	1–2 years	2–5 years	5+ years
	£m	£m	£m	£m	£m	£m
Borrowings	(61.5)	(73.9)	(3.8)	(3.8)	(66.3)	—
Bank overdraft	(13.6)	(13.6)	(13.6)	—	—	—
Lease liabilities	(27.6)	(32.5)	(8.0)	(6.6)	(13.6)	(4.3)
Trade and other payables	(46.8)	(46.8)	(46.8)	—	—	—

The contractual cash flows for borrowings disclosed above relate to the Group’s RCF for the year ended 30 September 2025, which expires in April 2029, and in the prior year includes the Term Loan Facility Agreement that was due to expire in December 2026. The contractual cash flows include an estimate of the interest payable based on the assumption that the borrowings remain drawn based upon 30 September 2025 levels, except that the term loan which existed at 30 September 2024 is repayable over its term. Interest is calculated based on SONIA/SOFR plus a margin based on the current leverage ratio.

Currency risk

The Group is exposed to currency risk on sales, purchases, cash and borrowings that are denominated in a currency other than the respective functional and presentational currency of the Group. The Group’s management reviews the size and probable timing of settlement of all financial assets and liabilities denominated in foreign currencies.

The Group’s exposure to currency risk is as follows:

	Sterling 2025	EUR 2025	USD 2025	Other 2025	Total 2025	Sterling 2024	EUR 2024	USD 2024	Other 2024	Total 2024
	£m	£m	£m	£m	£m	£m	£m	£m	£m	£m
Trade receivables	8.4	2.9	1.9	0.9	14.1	7.6	2.0	7.4	0.3	17.3
Other receivables	1.0	—	—	—	1.0	1.1	—	—	—	1.1
Contract assets	7.8	3.8	6.1	1.7	19.4	7.9	3.4	6.5	2.3	20.1
Cash and cash equivalents	2.7	3.5	4.3	2.0	12.5	18.0	4.1	4.5	3.2	29.8
Bank overdraft	—	—	—	—	—	(11.9)	—	(1.7)	—	(13.6)
Borrowings	1.9	—	(5.2)	—	(3.3)	(19.0)	—	(42.5)	—	(61.5)
Lease liabilities	(9.7)	(3.8)	(3.0)	(3.0)	(19.5)	(16.0)	(3.2)	(4.9)	(3.5)	(27.6)
Trade and other payables	(28.7)	(5.6)	(6.2)	(2.6)	(43.1)	(32.7)	(3.9)	(7.6)	(2.6)	(46.8)
Total	(16.6)	0.8	(2.1)	(1.0)	(18.9)	(45.0)	2.4	(38.3)	(0.3)	(81.2)

The £1.9m of borrowings denominated in sterling relates to unamortised arrangement fees. A 10% change in each of the respective exchange rates utilised during the year would impact revenue by £17.0m (2024: £23.6m) and borrowings by £0.5m (2024: £4.3m), either increasing or decreasing each by the stated amounts. The Group’s risk management policy is to hedge foreign currency exposure in respect of significant material transactions that may arise from time to time. No material hedges were in place at 30 September 2025 or at 30 September 2024.

In order to manage shorter-term currency risk, the Group enters into short-term derivative arrangements. The Group designates the spot element of forward foreign exchange contracts to hedge its currency risk and applies a hedge ratio of 1:1. The forward elements of forward exchange contracts are excluded from the designation of the hedging instrument and are separately accounted for as a cost of hedging, which is recognised in equity in a cost of hedging reserve. The Group’s policy is for the critical terms of the forward exchange contracts to align with the hedged item. The Group determines the existence of an economic relationship between the hedging instrument and hedged item based on the currency, amount and timing of their respective cash flows. Given the short-term nature of these hedges there is limited risk of ineffectiveness.

Interest rate risk

The Group and Company finance their operations through a combination of retained profits and bank borrowings. The Group borrows and invests surplus cash at floating rates of interest based upon bank base rate.

The cash and cash equivalents of the Group and Company at the end of the financial year were as follows:

	Group 2025	Group 2024
	£m	£m
Sterling denominated financial assets	2.7	18.0
Euro denominated financial assets	3.5	4.1
US Dollar denominated financial assets	4.3	4.5
Other denominated financial assets	2.0	3.2
Total	12.5	29.8

The financial assets and liabilities of the Company at the end of the financial year were as follows:

	Company 2025	Company 2024
	£m	£m
Financial assets
Sterling denominated financial assets	—	9.8
Amounts owed by Group undertakings	34.2	43.1
Total	34.2	52.9
Financial liabilities
Sterling denominated financial liabilities	—	9.8
Amounts owed to Group undertakings	—	0.1
Total	—	9.9

A change of 100 basis points in interest rates would result in a difference in annual pre-tax profit of £nil (2024: £0.6m).

The financial liabilities of the Group (trade and other payables, borrowings and lease liabilities) and their maturity profile are as follows:

	Sterling £m	EUR £m	USD £m	Other £m	Total £m
2025
Less than one year	(30.4)	(6.3)	(7.3)	(3.2)	(47.2)
2024
Less than one year	(32.7)	(3.9)	(7.6)	(2.6)	(46.8)

NCC Group plc — Annual report and accounts for the year ended 30 September 2025

147

24 Share-based payments

The Company has a number of share option schemes under which options to subscribe for the Company’s shares have been granted to Directors and colleagues, details of which are illustrated in the tables below. Expected term of options represents the period over which the fair value calculations are based. The share-based payment charge for the year was £2.1m (2024: £2.3m), of which £2.1m (2024: £2.3m) related to equity settled payments and £nil (2024: £nil) to cash settled payments.

Company Share Option (CSOP) scheme – equity settled

Under the CSOP scheme, options will vest if the average EPS growth for the three years following their grant is greater than 10% per annum. Options granted in September 2019 do not have any performance criteria.

2025
Date of grant	Expected term of options	Exercisable between	Exercise price	Number outstanding
August 2018	7 years	August 2021–August 2028	£2.20	—
September 2019	7 years	September 2022–September 2029	£1.79	10,6136

Sharesave schemes – equity settled

The Company operates Sharesave schemes, which are available to all colleagues based in the UK, the Netherlands, Denmark, the Philippines, Spain and Australia, and full-time Executive Directors of the Group and its subsidiaries who have worked for a qualifying period.

2025
Date of grant	Expected term of options	Exercisable between	Exercise price	Number outstanding
May 2021	3 years	May 2024–October 2024	£2.15	—
May 2021	3 years	May 2024–October 2024	£2.15	—
May 2022	3 years	May 2025–October 2025	£1.52	98,445
May 2022	3 years	May 2025–October 2025	£1.52	227,288
May 2023	3 years	June 2026–November 2026	£1.26	99,093
May 2023	3 years	June 2026–November 2026	£1.26	273,269
May 2024	3 years	June 2027–November 2027	£0.99	264,400
May 2024	3 years	June 2027–November 2027	£0.99	1,306,128
July 2025	3 years	August 2028–January 2029	£1.14	168,854
July 2025	3 years	August 2028–January 2029	£1.14	623,723

Colleague stock (ESPP) purchase plan – equity settled

The Company operates a stock purchase plan, which is available to all North American-based colleagues who have worked for a qualifying period. All options are to be settled by equity. Under the scheme the following options have been granted and are outstanding at the year end.

2025
Date of grant	Expected term of options	Exercisable in	Exercise price	Number outstanding
May 2024	1 year	May 2025	£1.09	—
July 2025	1 year	July 2026	£1.23	61,478

Incentive Stock Option (ISO) scheme – equity settled

Under the ISO scheme, options granted will be subject to performance criteria. Options will vest if the average EPS growth for the three years following their grant is greater than 10% per annum. Options granted in September 2019 do not have any performance criteria.

2025
Date of grant	Expected term of options	Exercisable between	Exercise price	Number outstanding
September 2019	7 years	September 2022–September 2029	£1.82	16,482

Long Term Incentive Plan (LTIP) schemes – equity settled

Options granted between November 2017 and May 2021 have three separate vesting conditions as set out below:

60% will vest based on achieving an average increase in Group EPS of 20% or more over a three year period. If growth is equal to an average of 9% (threshold), then 12% of the award will vest. If, however, growth is less than 9%, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis.
30% will vest based on achieving a cash conversion ratio 1 expressed as a percentage over the measurement period of greater than 70% per annum on average. If cash conversion 1 is greater than or equal to 80% per annum, then 100% of the award element will vest. If, however, cash conversion is less than 70% per annum, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis.
10% will vest based on the Group’s total shareholder return (TSR) ranking when measured against the FTSE 250 (excluding investment trusts). If the Group’s TSR is consistent with the median group, 20% of the award will vest; below this level, none of the award element will vest. If the TSR is within the upper quartile or above, 100% of the award element will vest; between the median and upper quartile, vesting is determined on a straight-line basis.

NCC Group plc — Annual report and accounts for the year ended 30 September 2025

148 Notes to the Financial Statements continued for the year ended 30 September 2025

24 Share-based payments continued

Long Term Incentive Plan (LTIP) schemes – equity settled continued

Options granted in November 2021 have three separate vesting conditions as set out below:

60% will vest based on achieving an average increase in Group EPS of 22.5% or more over a three year period. If growth is equal to an average of 9% (threshold), then 15% of the award will vest. If, however, growth is less than 9% per annum, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis.
30% will vest based on achieving a cash conversion ratio 1 expressed as a percentage over the measurement period of greater than 70% per annum on average. If cash conversion 1 is greater than or equal to 80% per annum, then 100% of the award element will vest. If, however, cash conversion is less than 70% per annum, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis.
10% will vest based on the Group’s total shareholder return (TSR) ranking when measured against the FTSE 250 (excluding investment trusts). If the Group’s TSR is consistent with the median group, 20% of the award will vest; below this level, none of the award element will vest. If the TSR is within the upper quartile or above, 100% of the award element will vest; between the median and upper quartile, vesting is determined on a straight-line basis.

Options granted between October 2022 and November 2022 have three separate vesting conditions as set out below:

60% will vest based on achieving an average increase in Group EPS of 18% or more over a three year period. If growth is equal to an average of 6% (threshold), then 15% of the award will vest. If, however, growth is less than 6% per annum, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis.
20% will vest based on achieving a cash conversion ratio 1 expressed as a percentage over the measurement period of greater than 80% per annum on average. If cash conversion 1 is greater than or equal to 90% per annum, then 100% of the award element will vest. If, however, cash conversion is less than 80% per annum, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis.
20% will vest based on the Group’s total shareholder return (TSR) ranking when measured against the FTSE 250 (excluding investment trusts). If the Group’s TSR is consistent with the median group, 15% of the award will vest; below this level, none of the award element will vest. If the TSR is within the upper quartile or above, 100% of the award element will vest; between the median and upper quartile, vesting is determined on a straight-line basis.

Options granted between October 2023 and February 2024 have three separate vesting conditions as set out below:

40% will vest based on achieving an average increase in Group EPS of 18% or more over a three year period. If growth is equal to an average of 6% (threshold), then 15% of the award will vest. If, however, growth is less than 6% per annum, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis.
20% will vest based on achieving a cash conversion ratio 1 expressed as a percentage over the measurement period of greater than 80% per annum on average. If cash conversion 1 is greater than or equal to 90% per annum, then 100% of the award element will vest. If, however, cash conversion is less than 80% per annum, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis.
40% will vest based on the Group’s total shareholder return (TSR) ranking when measured against the FTSE 250 (excluding investment trusts). If the Group’s TSR is consistent with the median group, 15% of the award will vest; below this level, none of the award element will vest. If the TSR is within the upper quartile or above, 100% of the award element will vest; between the median and upper quartile, vesting is determined on a straight-line basis.

Options granted during or after June 2024 have three separate vesting conditions as set out below:

30% will vest based on achieving an average increase in Group EPS of 18% or more over a three year period. If growth is equal to an average of 6% (threshold), then 15% of the award will vest. If, however, growth is less than 6% per annum, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis.
20% will vest based on achieving a cash conversion ratio 1 expressed as a percentage over the measurement period of greater than 80% per annum on average. If cash conversion 1 is greater than or equal to 90% per annum, then 100% of the award element will vest. If, however, cash conversion is less than 80% per annum, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis.
50% will vest based on the Group’s total shareholder return (TSR) ranking when measured against the FTSE 250 (excluding investment trusts).If the Group’s TSR is consistent with the median group, 15% of the award will vest; below this level, none of the award element will vest. If the TSR is within the upper quartile or above, 100% of the award element will vest; between the median and upper quartile, vesting is determined on a straight-line basis.

2025 Expected term

Date of grant	of options	Exercisable between	Exercise price	Number outstanding
March 2020	3 years	June 2022–August 2024	£nil	—
May 2021	3 years	June 2023–August 2025	£nil	—
November 2021	3 years	June 2024–November 2031	£nil	—
October 2022	3 years	October 2025–October 2032	£nil	677,916
November 2022	3 years	November 2025–November 2032	£nil	—
October 2023	3 years	October 2026–October 2033	£nil	1,606,795
February 2024	3 years	February 2027–February 2034	£nil	65,412
June 2024	3 years	October 2027–June 2034	£nil	2,839,374
January 2025	3 years	January 2028–January 2035	£nil	78,185

1 Cash conversion is an Alternative Performance Measure (APM) and not an IFRS measure. See Appendix 1 for an explanation of APMs and adjusting items, including a reconciliation to statutory information.

Financial statements

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 149

24 Share-based payments continued

Restricted Share Plan (RSP) – equity settled

The vesting condition for the award of RSPs relates to colleagues remaining with the Group for a certain period of time, namely two years to receive 50% of the award, and a further year to receive the remaining 50%. There are no other performance conditions.

2025 Expected term

Date of grant	of options	Exercisable	Exercise price	Number outstanding
May 2021	2/3 years	50% exercisable August 2022 to August 2031, 50% exercisable August 2023 to August 2031	£nil (£0.01 in the US and Canada)	16,500
November 2021	2/3 years	50% exercisable October 2023 to August 2032, 50% exercisable October 2024 to August 2032	£nil (£0.01 in the US and Canada)	52,950
October 2022	2/3 years	50% exercisable October 2024 to October 2032, 50% exercisable October 2025 to October 2032	£nil (£0.01 in the US and Canada)	197,776
November 2022	2/3 years	50% exercisable November 2024 to November 2032, 50% exercisable November 2025 to November 2032	£nil (£0.01 in the US and Canada)	—
October 2023	2/3 years	50% exercisable September 2025 to September 2033, 50% exercisable September 2026 to September 2033	£nil (£0.01 in the US and Canada)	1,128,278
February 2024	2/3 years	50% exercisable February 2026 to February 2034, 50% exercisable February 2027 to February 2034	£nil (£0.01 in the US and Canada)	42,636
January 2025	2/3 years	50% exercisable January 2027 to February 2035, 50% exercisable January 2028 to February 2035	£nil (£0.01 in the US and Canada)	1,647,182
July 2025	2/3 years	50% exercisable July 2027 to July 2035, 50% exercisable July 2028 to July 2035	£nil (£0.01 in the US and Canada)	145,132

Deferred share scheme – equity settled

At least 35% of any cash bonus payment is normally deferred into shares or nominal cost share options which vest after a two year period. Dividend equivalents are paid on vesting share options. From January 2025, 35% of any bonus payment earned in excess of £50,000 (the first £50,000 of any bonus will be paid in cash before any bonus deferral) is normally deferred into shares or nominal cost share options which vest after a two year period.

2025 Expected term

Date of grant	of options	Exercisable price	Number outstanding
October 2022	2 years	October 2024	£nil
October 2023	2 years	October 2025	£nil
August 2024	2 years	August 2026	£nil
December 2024	2 years	December 2026	£nil

Phantom schemes – cash settled

Phantom schemes are used to allow the grant of LTIPs or RSPs to members of the Executive Committee or other senior colleagues based in certain overseas locations at a time when the Group’s option scheme rules are not structured to allow overseas grants. Options granted on or after September 2019 do not have any performance criteria.

2025 Expected term

Date of grant	of options	Exercisable between	Exercise price	Number outstanding
July 2021	3 years	August 2022–July 2031	£nil	—
November 2021	3 years	October 2023–November 2031	£nil	—
January 2025	3 years	February 2026–November 2035	£nil	9,776

Measurement of fair values

The fair value of services received in return for share options is calculated with reference to the fair value of the award on the date of grant. The fair value is spread over the period during which the colleague becomes unconditionally entitled to the award, adjusted to reflect actual and expected levels of vesting. The assumptions used in the models are illustrated in the tables below:

Scheme	Grant date	expected term	Risk free interest rate
CSOP scheme	August 2018–September 2019	7 years	0.35%–2.00%
Sharesave scheme	May 2021–July 2025	3 years	0.13%–5.53%
ESPP scheme	May 2024–July 2025	1 year	4.63%–5.53%
ISO scheme	September 2019	7 years	0.38%
LTIP scheme	March 2020–January 2025	3 years	0.21%
RSP scheme	May 2021–July 2025	10 years	N/A
Deferred shares	October 2022–December 2024	2 years	N/A
Phantom schemes	July 2021–January 2025	3 years	5.53%

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 150
Notes to the Financial Statements continued

24 Share-based payments continued

Measurement of fair values continued

Scheme	Grant date	Weighted average fair value of options granted during the year	Fair value at measurement date	Weighted average exercise value at measurement date	Exercise price
CSOP scheme	August 2018–September 2019	£0.55–£0.63	£0.55	£1.79 – £2.09	£1.79
Sharesave scheme	May 2021–July 2025	£0.39–£0.86	£0.51	£0.99 – £2.15	£1.12
ESPP scheme	May 2024–July 2025	£0.34–£0.37	£0.34	£1.09–£1.23	£1.23
ISO scheme	September 2019	£0.54	£0.54	£1.82	£1.82
LTIP scheme	March 2020–January 2025	£0.90–£2.31	£1.30	£nil	£nil
RSP scheme	May 2021–July 2025	£0.90–£2.85	£1.22	£nil	£nil
Deferred shares	October 2022–December 2024	£1.11– £1.55	£1.46	£nil	£nil
Phantom schemes	July 2021–January 2025	£1.36 –£2.87	£1.36	£nil	£nil

LTIP schemes that include market conditions have been valued using a Monte Carlo simulation. All other schemes without market conditions have been valued using the Black-Scholes model. The expected volatility has been based on an evaluation of the historical volatility of the Company’s share price, particularly over the historical period commensurate with the expected term. The expected term of the instruments has been based on historical experience and general option holder behaviour. For the options granted in the year ended 30 September 2025, dividend yield assumed at the time of option grant is 3.62% (2024: 4.52%).

Reconciliation of outstanding share options

The options outstanding at 30 September 2025 have an exercise price in the range of £nil to £2.15 (2024: £nil to £2.15) and a weighted average contractual life of seven years (2024: seven years). The following table illustrates the number and weighted average exercise prices (WAEP) of, and movements in, outstanding share awards during the year:

	2025	2024	2025	2024
	Number	WAEP	Number	WAEP
	’000		’000
Outstanding at beginning of year/period	13,562	£0.33	11,220	£0.61
Granted during the year/period	2,997	£0.34	10,474	£0.23
Exercised during the year/period	(1,156)	£0.28	(2,049)	£0.23
Forfeited in the year/period	(3,371)	£0.44	(6,083)	£0.70
Outstanding at end of year/period	12,032	£0.31	13,562	£0.33
Exercisable at end of year/period	1,356	£0.53	1,690	£0.48

Scheme	Number of instruments as at 1 October 2024	Number of Options granted during the year	Instruments exercised in the year	Forfeitures in the year	Number of instruments as at 30 September 2025
CSOP schemes	161,998	—	—	(55,862)	106,136
Sharesave/SAYE schemes	3,142,015	824,011	(75,537)	(829,289)	3,061,200
ESPP schemes	360,960	70,413	(204,492)	(165,403)	61,478
ISO schemes	21,976	—	—	(5,494)	16,482
LTIP schemes	7,011,251	78,185	(158,772)	(1,662,982)	5,267,682
RSP scheme	2,675,796	1,922,037	(715,543)	(651,838)	3,230,452
Deferred shares	186,641	92,559	—	—	279,200
Phantom schemes	1,500	9,776	(1,500)	—	9,776
	13,562,137	2,996,981	(1,155,844)	(3,370,868)	12,032,406

The liability for cash settled share-based payments at 30 September 2025 was £nil (2024: £nil).

Financial statements

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 151

25 Called up share capital and reserves

	2025	2024	2025	2024
	Number	Number	£m	£m
Ordinary shares of 1p each at the beginning of the year/period	314,524,630	312,128,892	3.1	3.1
Ordinary shares of 1p each issued in the year/period	481,449	2,395,738	—	—
Ordinary shares of 1p each at the end of the year/period	315,006,079	314,524,630	3.1	3.1

During the year, 481,449 (2024: 2,395,738) new ordinary shares of 1p were issued as a result of the exercise of share options. The proceeds of £0.3m (2024: £0.3m) were credited to the share premium account. As at 30 September 2025, 8,485,195 shares were held in treasury (2024: 5,158,090).

Share premium

The share premium account records the difference between the nominal amount of shares issued and the fair value of the consideration received. The share premium account may be used for certain purposes specified by UK law, including to write off expenses incurred on any issue of shares and to pay fully paid bonus shares. The share premium account is not distributable but may be reduced by special resolution of the Company’s ordinary shareholders and with court approval.

Merger reserve

The merger reserve arose in 2015 from the acquisition of Accumuli plc through a share-for-share exchange in part consideration for the business.# Notes to the Financial Statements

Currency translation reserve

The results of overseas operations are translated at the average foreign exchange rates for the year, and their balance sheets are translated at the rates prevailing at the Balance Sheet date. Exchange differences arising on the translation of opening net assets and results of overseas operations are recognised in the currency translation reserve. All other exchange differences are included in the Income Statement. On disposal of a foreign operation, the cumulative amount of exchange differences previously recognised in other comprehensive income and accumulated in equity is reclassified to the Income Statement. See Note 31 for further details.

Retained earnings

Retained earnings for the Group are made up of accumulated reserves. For the Company, retained earnings are made up of accumulated reserves.

Other financial commitments

At the end of the reporting year, the Group had no other financial commitments (2024: £nil).

Contingencies

There are no contingent liabilities not provided for at the end of the financial year (2024: £nil). Similarly, there are no contingent assets (2024: £nil). The Company and its subsidiaries are party to cross guarantees securing certain bank loans. At 30 September 2025, there was no material impact that could arise for the Company from these cross guarantees.

Pension scheme

The Group operates a defined contribution pension scheme that is open to all eligible colleagues. The pension cost charge for the year represents contributions payable by the Group to the fund and amounted to £7.4m (2024: £8.0m). For the Company, the pension cost charge for the year represents contributions payable by the Company to the fund and amounted to £nil (2024: £nil).

Related party transactions

Management has defined related party transactions as those involving key management personnel only. Key management personnel have been assessed to be the Group’s Board of Directors. During the year ended 30 September 2025 there were seven (2024: nine) key management personnel. Disclosures relating to remuneration of Directors are set out in the Remuneration Report on pages 81 to 93. The remuneration of the key management personnel is set out below:

	Group 2025	Group 2024	Company 2025	Company 2024
£m	£m	£m	£m	£m
Salary costs (including bonus)	2.2	2.7	—	—
Social security costs	0.3	0.4	—	—
Share-based payments	—	0.3	—	—
Total	2.5	3.4	—	—

There were no other related party transactions identified during the year. The amount of gains made by Directors on the exercise of share options is disclosed in the Remuneration Report on page 87.

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 152
Notes to the Financial Statements continued for the year ended 30 September 2025

Investments in subsidiary undertakings

Company

£m	At 1 June 2023	Increase in subsidiary investment for share-based charges	Increase in subsidiary investment for below market value loan arrangement	At 30 September 2024	Increase in subsidiary investment for share-based charges	At 30 September 2025
	279.1	2.3	9.7	291.1	2.1	293.2

In accordance with IAS 36 ‘Impairment of Assets’, management annually reviews the carrying value of investments to ensure that it does not exceed the recoverable amount. The investment in subsidiary undertakings is held against the Company’s direct subsidiary NCC Group Holdings Limited. In performing this assessment, management considered external market factors, such as the Group’s market capitalisation, and internal factors, such as the results of the Group’s annual goodwill impairment review. As of the reporting date, no indicators of impairment were noted. The increase in subsidiary investment for share-based charges represents IFRS 2 ‘Share-based Payment’ charges in respect of subsidiaries which will not be recharged. Fixed asset investments are recognised at cost.

The undertakings in which the Company has a 100% interest at 30 September 2025 are as follows:

Subsidiary undertakings	Country of incorporation	Principal activity	Registered office
NCC Group Holdings Limited	England and Wales	Holding company	XYZ Building, 2 Hardman Boulevard, Spinningfields, Manchester, England M3 3AQ (XYZ 1 )
NCC Group (Solutions) Limited	England and Wales	Holding company	XYZ 1
NCC Group Corporate Limited	England and Wales	Corporate cost centre	XYZ 1
NCC Group Finance Limited	England and Wales	Financing company	XYZ 1
The National Computing Centre Limited	England and Wales	Dormant	XYZ 1
NCC Group Software Resilience Limited	England and Wales	Holding company	XYZ 1
NCC Group Software Resilience (UK) Limited	England and Wales	Holding company	XYZ 1
NCC Services Limited	England and Wales	Escode	XYZ 1
NCC Group Escrow Limited	England and Wales	Dormant	XYZ 1
NCC Group Software Resilience (Europe) B.V.	Netherlands	Holding company	Barbara Strozzilaan 201, 1083HN Amsterdam, Netherlands
NCC Group GmbH	Germany	Escode	c/o Deloitte Legal Rechtsanwaltsgesellschaft mbH, Rosenheimer Platz 6, 81669, Munich, Bavaria, Germany
NCC Group Deutschland GmbH	Germany	Cyber Security	Leopoldstrasse Business Centre GmbH, Konrad-Zuse-Platz 8, 81829, Munich, Germany
NCC Group Escrow Europe B.V.	Netherlands	Escode	Barbara Strozzilaan 201, 1083HN Amsterdam, Netherlands
NCC Group Escrow Europe (Switzerland) AG	Switzerland	Escode	Ibelweg 18A, 6300 Zug, Switzerland
NCC Group Software Resilience (MEA-APAC) Limited	England and Wales	Holding company	XYZ 1
NCC Group FZ-LLC	United Arab Emirates	Escode	F01-004, Building 5, Dubai, Media City, Dubai, United Arab Emirates
NCC Group Cyber Security Limited	England and Wales	Holding company	XYZ 1
NCC Group Cyber Security (UK) Limited	England and Wales	Holding company	XYZ 1
NCC Group Security Services Limited	England and Wales	Cyber Security	XYZ 1
NCC Group Audit Limited	England and Wales	Cyber Security	XYZ 1
ArmstrongAdams Limited	England and Wales	Cyber Security	XYZ 1
NCC Group Signify Solutions Limited	England and Wales	Cyber Security	XYZ 1
NCC Group Accumuli Security Limited	England and Wales	Cyber Security	XYZ 1
NCC Group Cyber Security (Europe) B.V.	Netherlands	Holding company	Olof Palmestraat 6, 2616 LM Delft, Netherlands (Fox-IT 3 )
NCC Group A/S	Denmark	Cyber Security	Lautruphøj 1, 2750 Ballerup, Denmark
NCC Group Cyber Portuguesa, Unipessoal, LDA	Portugal	Cyber Security	Av. António Augusto de Aguiar nº 19 – 4º, 1050-012 Lisboa, Portugal
NCC Group Security Services Espana SLU	Spain	Cyber Security	Plaza Manuel Gómez Moreno, número 2, Edificio Alfredo Mahou, planta 19ª, letra B, 2802 0, Madrid, Spain

Financial statements NCC Group plc — Annual report and accounts for the year ended 30 September 2025 153

The undertakings in which the Company holds less than a 100% interest at the year end are as follows:

Undertaking	% interest	Country of incorporation	Principal activity
Deposit AB	24%	Sweden	Escode

The Directors consider the above ownership structure to give rise to no significant influence over the undertaking. There is no Board representation, and the Group has no power to participate in the operating and financial policy decisions of the undertaking. Accordingly, the undertaking of Deposit AB has not been consolidated.

1 2 Hardman Boulevard, Spinningfields, Manchester, England M3 3AQ.
2 11 East Adams Street, Suite 400, Chicago, IL 60603, USA.
3 Olof Palmestraat 6, 2616 LM Delft, Netherlands.

Disposal of Group undertakings

During the prior period, the Group disposed of its 3.35% shareholding in an unlisted company. The shares were sold for a total consideration of £0.4m. A gain of £0.1m was recognised within the Income Statement in relation to this disposal. There has been no impact in the current year. A further potential contingent consideration may be received after two years, subject to specific performance conditions. As this payment is not considered virtually certain at the reporting date, it has not been recognised in the current year’s Financial Statements. If achieved, the maximum additional amount receivable would be £0.2m.

Subsidiary undertakings

Subsidiary undertakings	Country of incorporation	Principal activity	Registered office
Cyber Assurance Sweden AB	Sweden	Cyber Security	c/o Advokatfirman Delphi, P.O. Box 143 2, 111 84 Stockholm
Fox-IT Holding B.V.	Netherlands	Holding company	Olof Palmestraat 6, 2616 LM Delft, Netherlands (Fox-IT 3 )
Fox-IT Group B.V.	Netherlands	Holding company	Fox-IT 3
Fox-IT B.V.	Netherlands	Cyber Security	Fox-IT 3
NCC Group Cyber Security (APAC) Limited	England and Wales	Holding company	XYZ 1
NCC Group Pte Limited	Singapore	Cyber Security	Unit #10-09 PLUS Building, 20 Cecil Street, Singapore (049705)
NCC Group Pty Limited	Australia	Cyber Security	Suite 23.01, Level 23, 45 Clarence Street, Sydney, NSW 2000, Australia
Escode Australia Pty Limited	Australia	Software Resilience	Suite 23.01, Level 23, 45 Clarence Street, Sydney, NSW 2000, Australia
NCC Group Japan KK	Japan	Cyber Security	Level 18, Yesibu Garden Place Tower, 4-20-3 Ebisu Shibuya-Ku, Tokyo, Japan
NCC Group (Americas) Inc.	USA	Holding company	11 East Adams Street, Suite 400 Chicago IL 6 0 603, USA (North America HQ 2 )
NCC Group, LLC	USA	Escode and central/ head office costs	North America HQ 2
NCC Group Cyber Security (Americas), LLC	USA	Holding company	North America HQ 2
NCC Group Security Services, Inc.	USA	Cyber Security	North America HQ 2
NCC Group Secure Registrar, Inc.	USA	Domain services	North America HQ 2
NCC Group Domain Services, Inc.	USA	Domain services	North America HQ 2
NCC Group Security Services Corporation	Canada	Cyber Security	Suite 270 0, The Stack, 1133 Melville St, Vancouver, BC V6E 4E5, Canada
Payment Software Company, Inc.

Notes to the Financial Statements continued for the year ended 30 September 2025

31 Disposals

Current year disposal of Fox Crypto business

At 30 September 2024, the assets and liabilities associated with the planned disposal of Fox Crypto were classified as held for sale (for further details please refer to Note 16). On 28 March 2025, the Group completed the disposal of its entire 100% interest in Fox Crypto, a foreign operation, for total cash consideration of £65.6m. Following completion, no interest was retained in the entity, and no contingent consideration was recognised. The disposal resulted in an overall gain of £9.8m, recognised within Individually Significant Items (see Note 4 for further details).

The assets and liabilities included as part of the disposal were as follows:

	2025 £m
Attributable goodwill	(52.1)
Intangible fixed assets	(0.1)
Tangible fixed assets	(1.0)
Right-of-use assets	(0.6)
Inventories	(0.5)
Trade and other receivables	(6.2)
Contract assets	(2.2)
Cash and cash equivalents	(4.2)
Trade and other payables	2.7
Deferred revenue	2.8
Lease liabilities	0.6
Provisions	0.6
Cumulative currency translation adjustment	7.9
Net assets disposed of	(52.3)
Total consideration	65.6
Transaction costs incurred in the year ended 30 September 2025	(2.0)
Gain on disposal – recognised as an Individually Significant Item (Note 4)	11.3
Transaction costs incurred during the 16 month period ended 30 September 2024	(1.5)
Total transaction costs	(3.5)
Overall gain on disposal (Note 4)	9.8

Satisfied by:

	65.6
Cash and cash equivalents	65.6
Total consideration	65.6

As part of the disposal, £7.9m of foreign currency translation reserve relating to Fox Crypto was reclassified from equity to the Income Statement and recognised within the gain on disposal. The net cash inflow on disposal was £61.4m, comprising gross consideration of £65.6m less £4.2m of cash disposed of on completion. A gain on disposal of £11.3m has been recognised within ISIs in the year ended 30 September 2025. An additional £1.5m of related transaction costs were recognised in ISIs in the 16 month period ended 30 September 2024, bringing the total gain on disposal to £9.8m. Overall, total transaction costs total £3.5m, including the £2.0m incurred in the year ended 30 September 2025. Since completion of the deal, £0.1m of income has been earned under a six month transactional services agreement (TSA); this brings the overall gain on disposal recognised in relation to the disposal of Fox Crypto within FY25’s ISIs to £11.4m. Please refer to Note 4.

Financial statements NCC Group plc — Annual report and accounts for the year ended 30 September 2025

31 Disposals continued

Prior period disposal of DetACT business

On 30 April 2024, the Group completed the disposal of its DetACT business for a total cash consideration of £8.2m. The assets and liabilities included as part of the disposal were as follows:

	2024 £m
Attributable goodwill	(5.9)
Intangible fixed assets	(1.4)
Trade and other receivables	(1.5)
Trade and other payables	0.1
Deferred revenue	2.8
Deferred tax liability	0.3
Net assets disposed of	(5.6)
Consideration	8.2
Transaction costs	(1.0)
Gain on disposal – recognised as an Individually Significant Item (Note 4)	1.6

Satisfied by:

	8.2
Cash and cash equivalents	8.2
Total consideration	8.2

32 Audit exemption

The subsidiary undertakings listed below are exempt from the Companies Act 2006 requirements relating to the audit of their individual accounts by virtue of section 479A of the Act as this Company has guaranteed the subsidiary company under section 479C of the Act.

Company name	Company registration no.
NCC Group Software Resilience (MEA-APAC) Limited	13295784
ArmstrongAdams Limited	04270584
NCC Group Software Resilience Limited	13247183
NCC Group Software Resilience (UK) Limited	13298310
NCC Group Accumuli Security Limited	03203561
NCC Group Audit Limited	04323323
NCC Group Corporate Limited	13247138
NCC Group Cyber Security limited	13287219
NCC Group Cyber Security (APAC) Limited	13294684
NCC Group Holdings Limited	13325653
NCC Group Signify Solutions Limited	03915262
NCC Group (Solutions) Limited	03742757
Payment Software Company Limited	10059024
NCC Group Finance Limited	13350193
NCC Group Escrow Limited	03081952
The National Computing Centre Limited	04225835
NCC Group Cyber Security (UK) Limited	13294277

The Directors acknowledge their responsibility for complying with the requirements of the Companies Act 2006 with respect to accounting records and preparation of accounts.

Appendix 1 – Alternative Performance Measures (APMs) and adjusting items

The consolidated Financial Statements include Alternative Performance Measures (APMs) alongside statutory measures. APMs used by the Group are not defined under IFRS and may not be comparable to similarly titled measures reported by other companies. They are not intended to replace or be superior to Generally Accepted Accounting Practice (GAAP) measures. All APMs relate to the current year’s results and, where provided, comparative periods. This presentation is consistent with how management measures financial performance and reports to the Board. It also forms the basis for financial measures used in senior management’s compensation schemes and provides supplementary information to help users understand the Group’s financial performance, position and trends. At all times, the Group aims to ensure that the Annual Report and Accounts gives a fair, balanced and understandable view of the Group’s performance, cash flows and financial position. IAS 1 ‘Presentation of Financial Statements’ requires the separate presentation of items that are material in nature or scale in order to allow the user of the Financial Statements to understand underlying business performance. We believe these APMs provide readers with important additional information on our business, and this information is relevant for use by investors, securities analysts and other interested parties as supplemental measures of future potential performance. However, since statutory measures can differ significantly from the APMs and may be assessed differently by the reader we encourage you to consider these figures together with statutory reporting measures noted. Specifically, we would note that APMs may not be comparable across different companies and that certain profit related APMs may exclude recurring business transactions (e.g. acquisition related costs) that impact financial performance and cash flows.

The Group continues to internally manage its performance at an Adjusted operating profit level (before Individually Significant Items), which management believes represents the underlying trading of the business. This information is still disclosed as an APM within this Annual Report. This APM is reconciled to statutory operating profit, together with the consequently Adjusted basic EPS (before Individually Significant Items and the tax effect thereon) to statutory basic EPS. Please see page 54 of the Financial Review section.

The Group has the following APMs/non-statutory measures:

| APM | Closest equivalent IFRS measure | Adjustments to reconcile to IFRS measure | Definition, purpose and considerations made by the Directors # Appendix 1 – Alternative Performance Measures (APMs) and adjusting items continued

Measures:

Adjusted EBITDA

Is disclosed as this is a measure widely used by various stakeholders and used by the Group to measure the cash conversion ratio.

Adjusted basic EPS

Statutory basic EPS before Individually Significant Items and their associated tax effect and adjusted tax items. Represents basic EPS before Individually Significant Items and their associated tax effect and adjusted tax items. This measure is to allow the user to understand the Group’s underlying financial performance as measured by management, reported to the Board and used as a financial measure in senior management’s compensation schemes.

Financial statements

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 157

Balance Sheet measures:

Net cash/debt excluding lease liabilities

Total borrowings (excluding lease liabilities) offset by cash and cash equivalents

Represents total borrowings (excluding lease liabilities) offset by cash and cash equivalents. It is a useful measure of the progress in generating cash, strengthening of the Group Balance Sheet position, overall net indebtedness and gearing on a like-for-like basis. Net cash/debt, when compared to available borrowing facilities, also gives an indication of available financial resources to fund potential future business investment decisions and/or potential acquisitions.

Net cash/debt

Total borrowings (including lease liabilities) offset by cash and cash equivalents

Represents total borrowings (including lease liabilities) offset by cash and cash equivalents. It is a useful measure of the progress in generating cash, strengthening of the Group’s Balance Sheet position, overall net indebtedness and gearing including lease liabilities. Net cash/debt, when compared to available borrowing facilities, also gives an indication of available financial resources to fund potential future business investment decisions and/or potential acquisitions.

Cash flow measures:

Cash conversion ratio

Ratio % of net cash flow from operating activities before interest and tax divided by operating profit

Ratio % of net cash flow from operating activities before interest and tax divided by Adjusted EBITDA. The cash conversion ratio is a measure of how effectively operating profit is converted into cash and effectively highlights both non-cash accounting items within operating profit and also movements in working capital. It is calculated as net cash flow from operating activities before interest and taxation (as disclosed on the face of the Cash Flow Statement) divided by Adjusted EBITDA. The cash conversion ratio is a measure widely used by various stakeholders and hence is disclosed to show the quality of cash generation and also to allow comparison to other similar companies.

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 158

Notes to the Financial Statements continued for the year ended 30 September 2025

Glossary of terms – other terms

Other terms	Definition and usage
Code	Guidance, issued by the Financial Reporting Council in 2016 and updated in 2018, on how companies should be governed, applicable to UK listed companies including NCC Group plc.
Adjusted	Any result described as adjusted excludes the impact of Individually Significant Items, and any tax on any of these items.
Adjusted profit for the period	Adjusted earnings are defined as statutory earnings before Individually Significant Items, net of the tax effect of these items.
Adjusted operating profit margin	Calculated as Adjusted operating profit divided by revenue.
AGM	Annual General Meeting of shareholders of the Company held each year to consider ordinary and special business as provided in the Notice of AGM.
Alternative Performance Measure (APM)	An Alternative Performance Measure (which is denoted in each case or use thereof by a footnote) is a non-GAAP performance metric used by management either internally or externally to present management’s view of the underlying business performance. They are not superior to GAAP-based measures and are simply an alternative way of looking at performance. See Appendix 1 for further information over the Group’s APMs.
Board	The Board of Directors of the Company (for more information see pages 62 and 63).
Cash conversion ratio	Calculated as cash generated from operating activities before interest and taxation divided by Adjusted EBITDA, expressed as a percentage.
CDO	Cyber Defence Operations.
CEO	Chief Executive Officer.
CFO	Chief Financial Officer.
CISO	Chief Information Security Officer.
Company, Group, NCC, we, our or us	We use these terms, depending on the context, to refer to either NCC Group plc, the individual Company, or to NCC Group plc and its subsidiaries collectively.
CPO	Chief People Officer.
CTO	Chief Technology Officer.
Directors, Executive Directors and Non-Executive Directors	The Directors/Executive Directors and Non-Executive Directors of the Company whose names are set out on pages 62 and 63 of this report.
EBIT	Earnings before interest and tax.
EBIT margin %	EBIT margin % is calculated as follows: Adjusted EBIT divided by revenue.
EBITDA	Earnings before interest, tax, depreciation and amortisation. Calculated as operating profit before Individually Significant Items and adding back depreciation and amortisation charged.
EBITDA margin %	EBITDA divided by revenue.
EPS	Earnings per share. Profit for the period attributable to equity shareholders of the Parent allocated to each ordinary share.
FCA	Financial Conduct Authority.
Financial year	For NCC Group, following the change in year end in the prior period, this is an accounting period ending on 30 September.
FRC	Financial Reporting Council.
FVLCTS	Fair value less costs to sell.
Gross profit	Gross profit is revenue less direct costs of sale. It excludes costs considered to be overheads that are supporting the business as a whole as opposed to a specific revenue item.
Gross margin % (GM %)	Calculated as gross profit divided by revenue from continuing activities.
HMRC	His Majesty’s Revenue & Customs, the tax collecting authority of the UK.

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 159

Additional information

Other terms	Definition and usage
IAS or IFRS	An International Accounting Standard or International Financial Reporting Standard, as issued by the International Accounting Standards Board (IASB). IFRS is also used as the term to describe international generally accepted accounting principles as a whole.
Individually Significant Items	Items that the Directors consider to be material in nature, scale or frequency of occurrence that need to be excluded when calculating some non-statutory performance measures in order to allow users of the Financial Statements to gain a full understanding of the underlying business performance. See Note 4 for further information.
PricewaterhouseCoopers (PwC)	The Company’s external auditor, PwC LLP.
LTIP	Long Term Incentive Plan established to align the interests of senior and executive management with those of shareholders. The plan is formally known as the NCC Group Long Term Incentive Plan 2013 (approved by shareholders in 2013).
MD	Managing Director.
MDR	Managed Detection and Response.
Net debt	Total borrowings offset by cash and cash equivalents.
Ordinary shares	Voting shares entitling the holder to part ownership of a company.
SAYE/Sharesave	Save As You Earn, being a tax efficient scheme to encourage colleague share ownership.
Escode	Escode represents our escrow resilience services.
Subsidiary	A company or other entity that is controlled by NCC Group.
TSC	Technical Security Consulting.
TSR	Total shareholder return, which is share price growth plus dividends reinvested (where applicable) over a specified period of time, divided by the share price at the start of the period.

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 160

Glossary of terms – other terms continued

Other terms	Definition and usage
Directors	Chris Stone – Non-Executive Chair Mike Maddison – Chief Executive Officer Guy Ellis – Chief Financial Officer Julie Chakraverty – Senior Independent Non-Executive Director Jennifer Duvalier – Independent Non-Executive Director Mike Ettling – Independent Non-Executive Director Lynn Fordham – Independent Non-Executive Director
Company Secretary	Jonathan Williams
Registered Group and Company head office	XYZ Building 2 Hardman Boulevard Spinningfields Manchester England M3 3AQ
Registered number	04627044
Registered in England and Wales
Joint brokers and corporate finance advisers	Investec Bank plc 30 Gresham Street London EC2V 7QP Peel Hunt LLP Moor House 120 London Wall London EC2Y 5ET
Independent auditor	PricewaterhouseCoopers LLP 1 Hardman Square Manchester M3 3EB
Solicitors	DLA Piper UK LLP 1 St Peter’s Square Manchester M2 3DE
Registrar	Equiniti Aspect House Spencer Road Lancing West Sussex BN99 6DA
Bankers	HSBC UK Bank plc 2nd Floor 4 Hardman Square Spinningfields Manchester M3 3EB National Westminster Bank plc 1 Hardman Boulevard Manchester M3 3AQ Barclays Bank plc 1 Churchill Place London E14 5HP Santander UK plc 2 Triton Square Regent’s Place London NW1 3AN

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 161

Additional information

Financial calendar

AGM 3# March 2026

Ex-dividend date 12 March 2026
Record date 13 March 2026
2026 half-year end 31 March 2026
Dividend payment date 10 April 2026
2026 interim statement June 2026
2026 year end 30 September 2026
2026 preliminary year end statement December 2026

These dates are provisional and may be subject to change.

NCC Group plc — Annual report and accounts for the year ended 30 September 2025
162
Produced by Design Portfolio www.design-portfolio.co.uk

NCC Group plc’s commitment to environmental issues is reflected in this Annual Report, which has been printed on Amadeus, an FSC ® certified material. This document was printed by Pureprint Group using its environmental print technology, with 99% of dry waste diverted from landfill, minimising the impact of printing on the environment. The printer is a CarbonNeutral ® company. Both the printer and the paper mill are registered to ISO 14001.

NCC Group plc Annual report and accounts for the year ended 30 September 2025

AI assistant

NCC GROUP PLC — Annual Report 2025

4869_10-k_2025-12-23_d0d0aaef-114e-4024-8e40-1788b163f396.xhtml

NCC Group plc — Annual report and accounts for the year ended 30 September 2025

Unlocking ourpotential

In this report

Highlights for the year ended 30 September 2025

At a glance

Escode

Cyber Security

What we do

Where we operate

Our offices

Group revenues

Strategic report

Chair’s statement

Deepening relationships and building trust

Our people: the heart of NCC Group

Navigating change with purpose

Unlocking our potential

Commitment to sustainability and responsible business

Governance and Board Leadership

NCC Group plc — Annual report and accounts for the year ended 30 September 2025

CEO’s review

Strategic progress positions the Group for return to profitable growth

Market environment and client needs

Financial performance

Sales and commercial execution

Strategic progress and transformation

Identity at the core: Strengthening cyber resilience with end‑to‑end access governance and expertise

Closing thoughts

Share buy‑back programme

Dividends

Looking to the future

NCC Group plc — Annual report and accounts for the year ended 30 September 2025

Our business model

Inputs

Transforming for global growth

Sustainable growth strategy

People‑powered, tech‑enabled

Culture of innovation

Stronger partner relationships

Market‑leading reputation

Cyber Security

Escode

Two distinct businesses

Value creation

Colleagues

Operational highlights

Market trends and regulatory landscape

Outlook

Clients

Our network

Shareholders

Two distinct businesses

Intensifying regulatory momentum versus a worldwide shortage of qualified talent

Market outlook

Global market trends, threats and opportunities

OT/IT Cyber Safety Webinar series

NCC Group’s 1000+ respondent survey reveals the critical issues driving supply chain security in 2025

The NCC Group Cyber Security regulations maturity curve

NCC Group plc — Annual report and accounts for the year ended 30 September 2025

11

A range of services and geographies and breadth of offering

Our strategy

NCC Group plc — Annual report and accounts for the year ended 30 September 2025

13 Stakeholder engagement

Colleagues

The opportunity

How we listen and engage

Highlights in 2024/25

Clients

The opportunity

How we listen and engage

Highlights in 2024/25

Suppliers

The opportunity

How we listen and engage

Highlights in 2024/25

Public Sector

NCC GROUP PLC Annual Report 2025