Annual report and accounts
for the year ended 30 September 2025
Unlocking
ourpotential

A global delivery engine
asa differentiated and
scalable service for
clientsaround the world
A single technology stack
and the opportunity to
leverage our scalable
full‑circle cyber services
A network of partners
andstrategic alliances
tooptimise solutions
forclients
Find out more:
p2
Find out more:
p8
Find out more:
p12
NCC Group is a people‑powered,
tech‑enabled global Cyber Security
and software escrow business.
We harness our collective insight, intelligence and
innovation to power end‑to‑end cyber services that
protect our clients from cyber threat.
In this report
Strategic report
1 Highlights for the year ended
30September 2025
2 At a glance
4 Chair’s statement
6 CEO’s review
8 Our business model
10 Market outlook
12 Our strategy
14 Stakeholder engagement
16 Sustainability
29 Risk management
38 Viability statement
40 Financial review
Governance
58 Chair’s introduction togovernance
61 Governance framework
62 Board of Directors
64 Board composition and division
ofresponsibilities
70 Shareholder engagement
71 Audit Committee report
77 Nomination Committee report
79 Cyber Security Committee report
81 Remuneration Committee report
94 Directors’ report
98 Directors’ responsibilities statement
Audited consolidated
financialstatements
99 Independent auditors’ report
104 Consolidated income statement
104 Consolidated statement
ofcomprehensive income
105 Consolidated balance sheet
106 Consolidated cash flow statement
107 Consolidated statement ofchanges
inequity
108 Company balance sheet
109 Company statement ofchanges
inequity
110 Notes to the Financial Statements
Additional information
157 Appendix 1
159 Glossary of terms – other terms
161 Other information
162 Financial calendar
View our latest results: nccgroupplc.com

Highlights for the year ended
30 September 2025
Revenue
(£m)
£305.4m
Profit/(loss) before taxation
(£m)
£20.6m
Basic EPS
(p)
5.6p
Net cash/(debt) excluding lease liabilities
3
(£m)
£13.1m
Adjusted operating profit
3
(£m)
£23.7m
Adjusted EPS
3
(p)
4.7p
IFRS measures
1
Alternative Performance Measures
1 The statutory results for the audited year (and the audited prior period of 16 Months to 30 September 2024) present the Group’s Escode business as discontinued operations.
Therefore,the tables below show the Group’s continuing operations results, with Escode added back to ensure full comparability of the Group’s performance.
2 Non-core disposals refer to the disposals of Fox-IT Crypto and Fox DetACT. The disposal of Fox-IT Crypto and Fox DetACT completed on 28 March 2025 and 30 April 2024 respectively.
3 Revenue at constant currency, Adjusted EBITDA, Adjusted operating profit, Adjusted basic EPS, net cash/(debt) excluding lease liabilities and cash conversion are Alternative Performance
Measures (APMs) and not IFRS measures. See unaudited Appendix 1 and this Financial Review for an explanation of APMs and adjusting items, including a reconciliation to statutory information.
Highlights
•
Group revenue on a constant currency basis
3
(excluding non-core
disposals
2
) has declined by 2.6% to £293.9m with Escode experiencing
growth of 2.2% to £66.5m, offset by a Cyber Security decline of
4.0% to £227.4m.
•
Revenue performance in H2 2025 on a constant currency basis
1
(excluding non-core disposals
2
) for both Escode and Cyber Security
improved from the position in H1 2025, with Escode H2 2025 growth
of 2.5% vs H2 2024 compared to H1 2025 growth of 1.8% vs H1
2024, and Cyber Security H2 2025 decline of 1.6% vs H2 2024
compared to H1 2025 6.3% decline vs H1 2024. Escode has now
delivered 12 consecutive quarters of year-on-year revenue growth
and Cyber Security has returned to growth in Q4 FY25 providing
momentum into FY26.
•
Gross margins (excluding non-core disposals
2
) year on year have
improved to 44.5% from 43.9% as the Group maintained operational
discipline, with Escode gross margin improving by 2.6% pts at 71.4%
and Cyber Security declining slightly by 0.4% pts to 36.6%.
•
The Group reported Adjusted EBITDA
3
(excluding non-core
disposals
2
) of £40.6m, down from £42.1m in the 12 months to
30September 2024, in line with Board’s expectations (down from
£51.6m for the 16 month period ending 30 September 2024
(including non-core disposals
2
)).
•
Profit before taxation grew to £20.6m from a loss of £17.8m in the
year ended 30 September 2024, as a result of a reduction in non-core
disposals
2
trading (£4.7m), underlying reduction in Adjusted EBITDA
trading performance (£1.5m), a one-off profit (£11.4m in H1 2025)
from the sale of our Fox Crypto business for a total consideration of
£65.6m completed in March 2025, a reduction in other Individually
Significant Items (£29.5m), excluding the£11.4m profit on disposal
of Fox Crypto, reduction in depreciation and amortisation (£2.2m)
and finance costs (£1.3m).
•
The disposal of Fox Crypto in March 2025 was part of the strategic
plan to simplify our business and focus on creating a pure play
cyberservice proposition for clients. It has also helped us transform
ourBalance Sheet to eliminate Group borrowings, with net cash of
£13.1m at 30 September 2025 compared to net debt of £45.3m on
30 September 2024. In conjunction with our successful refinancing
in April 2025 to a new four year, £120m multi-currency revolving
credit facility (RCF) and an uncommitted £50m accordion option,
this supports strategic options for a recently announced share
buy-back programme and value enhancing M&A opportunities.
•
As announced on 28 April 2025, the Group confirmed that it was
investigating several options for its Escode business, including a
potential sale (‘Escode review’). If a transaction were to be successfully
concluded it would enable the Group to consider a significant return
of capital to shareholders over and above the recently announced
share buy-back programme. The Board will provide updates as and
when appropriate.
•
Further to the announcement on 16 July 2025, the Board confirms
the process to review all options for the Group’s Cyber Security
business also continues and is independent from both the process
and outcome of the Escode review. Our focus remains on operational
excellence and continuing our transformation journey as we ensure
the operating model is aligned to support our clients and the
underlying Cyber Security strategy.
•
The Board is proposing an unchanged final dividend of 3.15p per
ordinary share, marking 20 consecutive years of dividend payments
for shareholders.
•
The Board anticipates that revenue (including recent non-core disposals
2
)
for the year ended 30 September 2026 is expected to grow marginally, with
Escode and Cyber Security experiencing low single-digit growth as pipeline
continues to build. FY26 Group Adjusted EBITDA
1
(after the adjustment for
non-core disposals
2
) is expected to be in line with Board expectations –
growing faster than revenue and the Board remains confident in delivering
the Group’s medium-term financial goals as it continues to improve
operational discipline and transform our cyber security engine.
305.4
429.5
335 .1
23
25
24
23
25
24
20.6
(27.5)
(4.3)
23
25
24
5.6
(10.4)
(1.5)
23
25
24
(49.6)
13.1
(45.3)
23
25
24
23.7
16.6
22.3
4.7
2.8
3.4
23
25
24
Strategic report
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 1

At a glance
Escode
We give organisations the legal right and
practical means to access, rebuild, and maintain
business‑critical software and intellectual
property when a supplier is no longer able
tosupport it.
Our independent escrow and verification services support
organisations in four key ways:
•
Resilience for organisations when software suppliers falter,
code shows weaknesses or disruption strikes
•
Confidence that continuity and compliance are built into both
on-premise and cloud solutions
•
Secure storage and long-term access to essential software
and data
•
Technical assurance that the materials held in escrow can be
successfully rebuilt and function as intended when it matters most
For more information visit our Escode website: escode.com
Cyber Security
Protecting today. Shaping tomorrow.
Creatingamore secure digital future.
NCC Group is a leading global Cyber Security and resilience
company, trusted for over 25 years by leading businesses
andgovernments.
With roots in offensive security and defence, and a heritage
built on research and threat intelligence, we uncover
thousands of risks each year, bringing deep insight into
vulnerabilities, attack patterns and adversary behaviours.
With significant market presence in the UK, Europe, North
America and Asia Pacific we deliver full-spectrum cyber
resilience to governments and businesses to protect what
matters most – the cars we drive, the energy in our homes,
and the phones in our pockets, and critical infrastructures
worldwide. We build resilience and deliver impactful,
forward-thinking solutions that help create a safer digital future.
For more information visit our Cyber Security website: nccgroup.com
We are NCC Group plc
Leaders in regulatory
andcomplex testing
Managed Security
includingMXDR
Digital Forensics and
IncidentResponse
Consultancy and
Implementation
Escrow agreements for both
cloud and on-premise
Testing and
verificationservices
What we do
Founded in 1999, we are a global leader in cyber security and business resilience.
Ourcolleagues are relied upon by the world’s leading companies and governments
tohelpthem manage risk, strengthen resilience and build lasting trust.
Against a backdrop of continued, fast-paced technological change and increasing interconnectedness, we help companies to manage
risk and face into the future withconfidence.
NCC Group has two main divisions: a people-powered, tech-enabled Cyber Security company (nccgroup.com), and a market-leading
IP and software escrow business, Escode (escode.com). Working together with our clients, we create a more secure digital future.
NCC Group plc — Annual report and accounts for the year ended 30 September 20252

Where we operate
We operate as one global business, with in‑country delivery tailored to local needs and
cultures, as well asa global delivery team to respond quickly to our clients’challenges.
Our offices
We have a significant market
presence in the UK, Europe
andNorth America, and a
growing footprint in Asia Pacific,
with offices in Australia and
Singapore, and the Philippines.
Group revenues
UK and Asia Pacific
£163.8m
(2024
1
: £209.8m)
North America
£89.6m
(2024
1
: £136.2m)
Europe
£52.0m
(2024
1
: £83.5m)
Cyber Security revenue
£238.9m
(2024
1
: £342.1m)
•
Technical Assurance Services (TAS): £88.4m (2024
1
: £141.4m)
•
Consulting and Implementation (C&I): £48.5m (2024
1
: £55.2m)
•
Managed Services (MS): £76.4m (2024
1
: £91.8m)
•
Digital Forensics and Incident Response (DFIR): £13.1m (2024
1
: £20.6m)
•
Other services: £12.5m (2024
1
: £33.1m)
Escode revenue
£66.5m
(2024
1
: £87.4m)
•
Escrow contracts: £43.0m (2024
1
: £57.2m)
•
Verification services: £23.5m (2024
1
: £30.2m)
1 2024 represents the 16 month period ended 30 September 2024 (audited).
Strategic report
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 3

Chair’s statement
As a result of this decision, we announced in July 2025 that we had
started to explore options for our Cyber business should the Escode
sale proceed. This was about looking ahead and anticipating what our
people, our clients and shareholders will need in years to come, and
webelieve it is right that we keep all options open.
Deepening relationships and building trust
In May we hosted a unique experience for shareholders, analysts and
partners, demonstrating our ongoing commitment to transparency and
engagement. Guests were invited to step into our world and experience
first-hand decisions that management teams must make in response to
cyber threats. It was a powerful reminder of the trust our clients place in
us, and of course the expertise and dedication that runs through every
part of our business.
These moments of connection, where we open our doors and share our
story, are vital. They build understanding, foster trust and remind us all
of the critical role NCC Group plays in keeping our digital world safer
and more secure.
I’m proud that we’ve continued to strengthen our relationships with
clients, focusing on strategic partnerships that go beyond transactions,
which you’ll see from Mike’s review on pages 6 and 7. Our teams work
tirelessly to understand the evolving needs of our clients, offering not just
technical solutions but genuine partnership and support. In a world
where digital risks are ever-present, our role as a trusted advisor has
never been more important.
Our people: the heart of NCC Group
If there is one thing that stands out year after year, it is the extraordinary
commitment and talent of our people. The pace of change has been
relentless, and yet our colleagues have responded with professionalism
and creativity, focused on our client’s needs. Whether adapting to new
ways of working, supporting clients through complex challenges, or
driving innovation from within, our teams have shown what is possible
when we pull together.
Our investment in people is matched by our commitment to sustainability
and responsible business. As we nurture talent and foster a positive
culture, we also strive to make a meaningful impact on the environment
and society. Our Manila operations have gone from strength to strength,
bringing new perspectives and capabilities to our global front and
back-office teams. I am proud of the progress we have made, but
evenmore excited about what lies ahead.
Navigating change with purpose
We continue to make bold decisions as we navigate the changing
landscape all businesses are operating in. I’m proud of the way the
management team and the wider Group embrace these as opportunities
to continue to grow and strengthen the overall business.
In March 2025, we completed the sale of the Fox-IT Crypto business for
a gross consideration of £65.6m, a milestone that not only reflects our
commitment to simplifying the Group’s proposition, deriving great value
to our shareholders and reducing net debt, but also our willingness to
evolve in a rapidly shifting digital landscape.
And this commitment continued as we announced in April 2025 that
wewere exploring a range of strategic options for our Escode business,
including a potential sale (Escode review). The decision is one that was
not taken lightly by the Board. The Board will provide updates as and
when it is practicable and appropriate to do so.
If a sale of Escode were to be successfully concluded, the Group would
become a focused, people-powered, tech-enabled global Cyber Security
business. It would also enable the Board to consider a significant return
of capital to shareholders over and above the recently announced initial
share buy-back programme.
Chris Stone
Non-Executive Chair
Unlocking
our potential
When I reflect on the past year at NCC Group, I am reminded that progress
israrely linear. It is shaped by the challenges we face, the decisions we make,
and– most importantly – the people who come together to move us forward.
Thisyear has been a testament to the resilience, adaptability and shared purpose
that defines our Group. And I want to begin by expressing my heartfelt thanks to
every colleague, client and shareholder, as well as our partners, who continue
tobe a part of our journey.
NCC Group plc — Annual report and accounts for the year ended 30 September 20254

Commitment to sustainability and responsible business
This year, we took significant steps forward on our climate action
agenda, responding to changing requirements and also client requests.
We published our Carbon Reduction Plan, developed in partnership
with Positive Planet, which sets out our path to net zero and commits
usto ambitious, science-based targets. We are on track to achieve
SBTi verification by March 2026 and will update our plan to reflect our
progress. Our partnership with Positive Planet led to the creation of
abespoke Carbon Literacy Training programme, and I am delighted
that my fellow Board member Lynn Fordham was among the first to
achieve certification.
We are now working towards verification of our science-based targets,
a further demonstration of our commitment to collaborating with other
businesses to reduce our impact on the environment and will update
the Carbon Reduction Plan in early 2026.
This holistic approach to sustainability is reflected in our governance
practices. The Board remains focused on upholding the highest standards
and ensuring that our values are embedded in every decision we make,
and you can read more about our progress on this from page 58.
Governance and Board Leadership
The Board has played an active and engaged role, providing challenge,
support and guidance as we continue to navigate this critical time for
the Group. We are committed to upholding the highest standards of
governance, ensuring that our decisions are grounded in integrity,
transparency and a long-term perspective. Our focus has been on
supporting the management team, overseeing strategic reviews and
ensuring that the interests of all stakeholders arerepresented.
We have also continued to review and strengthen our governance
practices, learning from best practice and adapting to the evolving
needs of our business. This includes ongoing engagement with our
shareholders, listening to their views and incorporating their feedback
into our decision making.
Looking to the future
With strong foundations in place – strategic clarity, stakeholder trust,
empowered people and robust governance – we are well positioned to
embrace the future with confidence. We are continuing to build strategic
client relationships, scan the market for smart acquisition opportunities
and focus on operational efficiencies that will make us stronger and more
agile. Our partnerships are deepening, our Manila office is flourishing
and our global teams are united by a shared sense of purpose.
I am confident that we have the right people, the right strategy and the
right values to succeed. Together, we are building a stronger, more
resilient NCC Group – one that is ready to seize the opportunities
oftomorrow.
Share buy‑back programme
Reflecting the Board’s continued confidence in the future prospects
ofthe Group and the strength of the Balance Sheet, regardless of the
outcome of the Escode review, we announced in October 2025 our
intention to commence an initial share buy-back programme. This
willbe carried out utilising our current shareholder authority and in
accordance with our capital allocation policy, and relevant legal and
regulatory obligations. It was also noted that the initial share buy-back
programme would not launch before 11 December 2025.
Dividends
During the year, total dividends of £19.0m were paid (2024: £14.5m),
an increase due to the change in our year end and the additional
dividend we gave for the four month period to 30 September 2024.
The Board is proposing an unchanged final dividend of 3.15p per
ordinary share for the year ended 30 September 2025, as it remains
mindful of the continued need to invest in the Group’s strategy, marking
20 consecutive years of dividend payments for shareholders.
The final dividend will be paid on 10 April 2026, subject to approval at
the AGM on 3 March 2026, to shareholders on the register at the close
of business on 13 March 2026. The ex-dividend date is 12 March 2026.
Our existing dividend policy will remain unchanged by any share
buy-back programme noted above.
Closing thoughts
In closing, I want to thank everyone who has been part of our journey
this year. To our colleagues: your dedication, creativity and resilience
inspire me every day. To our clients: thank you for your trust and
partnership. And to our shareholders: thank you for your continued
support and belief in our vision.
We do not take any of these relationships for granted. As we move
forward, we will continue to listen, learn and adapt – always with the
goal of creating lasting value for all our stakeholders.
Chris Stone
Non-Executive Chair
11 December 2025
Identity at the core: Strengthening
cyber resilience with end‑to‑end
access governance and expertise
Poorly maintained access control processes are among the leading
causes of cyber breaches and regulatory non-compliance. Up
to 80% of security incidents involve compromised credentials
and insufficient safeguards, giving attackers the keys to infiltrate
networks, steal sensitive data, and disrupt operations. The cost?
Millions in lost revenue, reputational damage, regulatory
penalties, and recovery downtime.
AI and autonomous agents amplify identity risks by increasing
access across systems, making an already complex task even
more challenging. We help our clients manage every aspect
ofIdentity and Access Management (IDAM), ensuring human
and non-human accounts are governed, monitored, secured,
and maintained across the entire lifecycle. With NCC Group’s
expertise and strategic partnerships, you gain resilience,
confidence, and continuity so you can focus on what matters
most: running your business securely.
VIEWPOINT
Strategic report
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 5

CEO’s review
enabled us to scale, win more opportunities and serve clients more
efficiently. We will continue to invest in our people, technology and
strategic partnerships – underpinned by our leading intelligence,
innovation and insight, we remain at the forefront of an evolving
cyberthreat landscape.
Market environment and client needs
As a B2B service provider, demand for many of our services reflects
the macro-economic cycle and the confidence of our clients to invest.
During the year this cycle and the geopolitical environment remained
complex, particularly in the first half. We saw this reflected in cautious
client behaviour, which naturally lengthen sales cycles. Despite these
headwinds, demand for cyber resilience and regulatory assurance
continues to grow, particularly in highly regulated sectors such as
financial services, healthcare and businesses running critical infrastructure.
Our clients are increasingly seeking expert-led, end-to-end solutions
that address the full spectrum of cyber risk – from Identity and Access
Management to Operational Technology security and Managed Detection
and Response. Our differentiated capabilities, global delivery and strategic
alliances with leading technology partners position us strongly to meet
these needs.
Financial performance
As expected, we saw Group revenue for FY25 decline by 2.6% on a
constant currency basis (excluding non-core disposals), with Escode
delivering growth on a constant currency basis of 2.2% and Cyber Security
declining on a constant currency basis by 4.0% when compared to the
previous 12 months. Importantly, as I reflect on all of this, half-to-half
performance was markedly stronger with revenue performance
improving in the second half, a reflection of the positive impact of our
strategic focus and operational discipline together with the strong order
book we indicated in our December 2024 results.
Gross margins (excluding non-core disposals) overall strengthened to
44.5% with Escode margin reaching 71.4% and Cyber Security broadly
flat at 36.6%. Adjusted EBITDA (excluding non-core disposals) was in
line with Board expectations and amounted to £40.6m when compared
to the previous 12 months. Our Balance Sheet remains robust, with net
cash of approximately £13m atyear end, a marked improvement from the
net debt of £79.6m as at31May 2023 and now providing a strong
foundation for future investment and capital returns.
Sales and commercial execution
We continued to strengthen our business in FY25 with management
action focused on strategic change to build the necessary technical
capability in cyber and to strengthen our commercial organisation in
both the Escode and Cyber Security businesses.
Strategic progress and transformation
FY25 has been a year of disciplined execution against the strategy we
originally established back in 2023 to transform and reshape the Group.
We have made significant progress to simply the Group and built our two
distinct businesses – Cyber Security, with Managed Services at the
centre, and Escode, our software escrow service.
We have improved profitability, materially reduced and eliminated net
debt, and repositioned the Group’s portfolio around core, scalable
activities. More timely and granular financial and operational information
has strengthened decision making, however there is more work to do.
A major event this year was the successful sale of our Fox-IT Crypto
business in March 2025 that strengthened our Balance Sheet, providing
us with the financial flexibility to invest in growth, while removing the
management distraction of a non-core business.
In April 2025, the Group confirmed that it was investigating several
options for its Escode business, including a potential sale. The Board
will provide updates as and when it is practicable and appropriate to do so.
If a sale of Escode were to be successfully concluded, the Group
wouldbecome a focused, people-powered, tech-enabled global Cyber
Security business. It would also enable the Board to consider a significant
return of capital to shareholders over and above the recently announced
initial share buy-back programme.
Our investments in new capabilities such as Operational Technology
and Digital Identity have allowed us to win further strategic projects
during the year. Our global operating model, including our expanding
office in Manila with exceptional cyber and operational talent, has
Mike Maddison
Chief Executive Officer
Strategic progress positions the Group
for return to profitable growth
As we reflect on FY25, I want to begin by recognising the continued commitment
and expertise of our colleagues across the globe. The work they do for clients is
extraordinary and they have continued to demonstrate their resilience and adaptability
navigating change and at times an uncertain economic environment. Our purpose
– to create a safer digital future – remains at the heart of everything we do, and
our progress this year is a testament to the strength of our people and the trust
ourclients place in us.
NCC Group plc — Annual report and accounts for the year ended 30 September 20256

In Escode, we:
•
Reorganised our sales structure by industry verticals to deliver
deeper sector expertise and create greater value for customers
infinance, critical infrastructure, and commercial markets
•
Established a dedicated new customer acquisition team focused on ideal
customer profiles within our priority growth sectors in the UK and US
•
Expanded our software verification offering to include fully
independent builds of cloud-hosted solutions, ensuring greater
reliability and trust
•
Broadened our regional presence with an extended market focus
intothe Middle East
In Cyber Security, we:
•
Invested in strategic sales capability
•
Enhanced client propositions with embedded technology
•
Put foundations in place for global account management to deepen
relationships and unlock revenue opportunities
•
Have improved Management Information with our global sales operation
•
Have fully implemented global scheduling, timesheets and pricing tools
•
Have fully separated Fox DetACT and Fox Crypto
These actions are already delivering results, an improved sales pipeline
visibility, deeper client engagement and a positive shift in revenue mix
towards higher value, recurring contracts. We remain focused on further
evolving our sales model to ensure stronger linkage between sales execution
and service delivery, and to drive deeper penetration in our priority sectors
globally: financial services, insurance, healthcare, industrials, and the
public sector.
Operational highlights
•
Transformation: Continued progress in repositioning the Cyber
Security business towards higher value, recurring revenue streams,
supported by a single technology stack and scalable global delivery
•
Strategic partnerships: Recognition from key partners,
including Splunk and Microsoft, underscores our reputation
asatrusted advisor and innovator
•
Talent: Our ability to attract and develop top cyber talent
remainsa competitive advantage, supported by our academy
and trainingprogrammes
•
Escode: The business continues to deliver consistent growth
and profitability, with discussions regarding its future strategic
direction ongoing
•
Public Research: Our leading technical expertise including
Cryptography, Hardware and AI/ML Security was engaged by
leading companies including Meta, Whatsapp and Google, to
review and publish public reports into their emerging technology
Market trends and regulatory landscape
The environment in which NCC Group operates is shaped by a complex
interplay of macro-economic, geopolitical and technological forces.
Regulatory momentum has intensified across all our core territories and
key customer verticals. The EU Cyber Resilience Act, which came into
force in December 2024 and the UK’s AI Cyber Security Code of Practice
will embed secure-by-design requirements up through the software supply
chain, while NIS2, DORA and sector-specific requirements in energy and
transport expand the range of organisations that must evidence robust
cyber controls and incident-reporting disciplines. These developments
are complemented by similar requirements in the US, Australia and
APAC, signalling a global consensus for higher standards.
Demand for strategic advisory and independent validation against
these emerging frameworks is fuelling growth in our consulting and
assurance work across OT environments and heavily regulated industries.
NCC Group’s recognised contribution to the UK government’s AI and CRA
initiatives underpins our reputation as a leading provider of regulatory
advisory and assurance services.
The worldwide shortage in qualified cyber security professionals is
bothwidening and coming more acute. This structural gap is most evident
in highly specialised skills, including advanced testing, Operational
Technology, and Identity and Access Management disciplines. This is
expected to drive outsourcing to third party Cyber Security services.
Clients need around-the-clock expert coverage without inflating their
cost base as a cost of employment and our global delivery hubs meet
this need. Additionally, the strong reputation that we have among cyber
professionals positions us to attract the best talent using our academy/
training ability to further expand and strengthen this talent base.
The combination of hybrid working and using personal devices at
workhas shifted the security perimeter from the edge of the Enterprise
network to the individual user and their devices. Identity and Access
Management and Zero-Trust architectures are consequently commanding
a growing share of security budgets. This is further driven by requirements
to demonstrate granular access controls under NIS2, the EU’s updated
cyber security directive and other critical infrastructure regulations.
Ourdedicated Digital Identity service is supporting clients through
thistransition, covering strategy, implementation and day-to-day
identity operations.
Lastly, the attack surface is expanding and becoming more complex,
with cloud migrations accelerating, SaaS solution proliferation and AI
adoption continuing, as well as early discussions ongoing regarding the
potential implications of quantum computing. Each new platform expands
the potential for malicious attacks and reinforces the need for security to be
embedded earlier into development pipelines. Demand is therefore rising
for secure-by-design assessments, supply chain software assurance and
Managed Extended Detection and Response (MXDR) coverage that spans
traditional IT, cloud and OT environments. The breadth of clients we serve
across industries, geographies and IT and OT environments has allowed
us to build unique IP to help clients secure this expanding attack surface.
Outlook
Looking ahead, we remain confident in our strategy and the medium-
term growth prospects for both businesses. While we expect the
current challenging economic conditions to endure in the near term,
our pipeline is building, and we anticipate a return to Cyber Security
revenue growth in FY26 as our continued transformation delivers
further benefits to both our competitive positioning and stakeholders.
On 28 April 2025, the Board confirmed that it was investigating a
number of options for its Escode business including a potential sale
(Escode review). We currently remain in that process and we will
provide a further update in due course.
Further to a subsequent announcement on 16 July 2025, the Board
confirms that the Group remains in the early stages of a review of all
strategic options for its Cyber business should the Escode business
besold, this includes a range of potential outcomes including potential
offers for the entire issued and to be issued share capital of the Company,
and that no decision has been made regarding which options will be
pursued. Our focus remains on operational excellence, innovation and
supporting existing and new clients as they navigate an increasingly
complex digital threat landscape.
In closing, I would like to thank our colleagues, clients and partners for
their continued trust and support. Together, we are building a stronger,
more resilient NCC Group, well positioned for sustainable growth and
long-term success.
Mike Maddison
Chief Executive Officer
11 December 2025
Strategic report
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 7

Our business model
Inputs
Transforming for global growth
For decades, we’ve developed thousands of cyber experts and explored emerging
technologies. Now, as a global, client‑focused business, we continue to evolve, delivering
groundbreaking projects for leading companies and governments. Our collective expertise
sits at the forefront of cyber resilience, shaping a more secure digital future.
Read more on market outlook on pages 10 and 11
Sustainable growth strategy
In a fast-moving and complex environment, our
strategy puts clients’ needs first, with a roadmap of
investments designed to develop future capabilities
and a global delivery model to provide clients with
thebest solution.
People‑powered, tech‑enabled
We are a diverse global community of talented and
creative individuals, working together and united by
the same goal – to create a more secure digital future.
Culture of innovation
With our roots stretching back to the 1990s we
haveatrack record of being at the cutting edge of
innovation. NCC Group was created in 1999 when
the National Computing Centre sold its commercial
divisions to its existing management; from there we
continued to grow through acquisitions. And while
history is important, so is the future, with innovation,
insights and intelligence the drivers of differentiation
and woven into the DNA of who we are.
Stronger partner relationships
We are active members of the global cyber
community, working in collaboration and in
partnership with key industry players. Many
successful global partnerships have delivered
integrated, seamless solutions to clients.
Market‑leading reputation
We’re recognised by leading analysts for excelling
inour understanding of CISO needs, building strong
partnerships with clients and being called to solve
complex problems.
For more information visit our
Cyber Security website: nccgroup.com
For more information visit our
Escode website: escode.com
Read more on our strategy on pages 12 and 13
Cyber Security
As a leading global Cyber Security services
company we are trusted to protect what
matters most – the cars we drive, the energy
in our homes, and the phones in our pockets,
and critical infrastructures worldwide.
With roots in deep offensive security and defence and a heritage built
on research and threat intelligence, we deliver full-spectrum cyber
resilience to governments and businesses.
From tracking threat actors and uncovering vulnerabilities to
responding to ransomware, we don’t just defend, we are actively
building a more secure digital future. Through our end-to-end cyber
capabilities, we empower organisations to counter threats, manage
disruption and navigate regulations with confidence.
Escode
We provide specialist escrow and
verification solutions for business‑critical IP,
technology and software applications.
Our services help companies and government organisations manage
supplier risk, sustain business continuity and give confidence that
essential third party software can be accessed and redeployed when
required. Our cloud services bring clarity to application management,
making the transition to the cloud straightforward and controlled.
Two distinct businesses
NCC Group plc — Annual report and accounts for the year ended 30 September 20258

Value creation
Colleagues
Our people are leading the industry with innovative
solutions protecting clients and society from growing
cyber threats. As a people-powered, tech-enabled
organisation, our talent strategy builds future-ready skills,
strengthens leadership and fosters an inclusive culture
ofhigh performance, aligned with our business goals.
We’re committed to helping every colleague thrive –
through inclusive practices, targeted development and
a focus on colleague experience – driving commercial
success through empowered, engaged teams.
Read more on our sustainability strategy:
nccgroupplc.com/sustainability
Clients
Our cyber security and software escrow solutions
enable clients to confidently innovate and embrace
new technologies, and build responsible, sustainable
and resilient organisations that thrive and succeed.
Our network
We’re the collaborators, the co-ordinators, the
conveners, and you will find us bringing together our
global community to drive our industry forward and
create a more secure digital future. We invest 1,100days
of research each year and engage proactively to
ensure our insights and vision deliver the best societal
outcomes, bringing partners together in support
ofour clients as well as policymakers and regulators
to help shape future cyber policy.
Shareholders
We have a dedicated Investor Relations programme
providing shareholders and financial analysts with
regular updates on our performance. Engagement
activities include results presentations, roadshows
with the CEO and CFO, Capital Markets events, site
visits, RNS and email updates.
Read more on stakeholder engagement
onpages14and 15
Two distinct businesses
INSIGHT INTELLIGENCE INNOVATION
Establish
legal right
Knowledge
transfer
Deposit
Manage
Scenario
test
Secure
storage
Release
Strategic report
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 9

Intensifying regulatory
momentumversus a worldwide
shortage of qualified talent
Market outlook
The environment in which NCC Group operates is shaped by a complex
interplay of macro-economic, geopolitical and technological forces.
Weremain confident our transformation strategy will deliver growth
underpinned by the range of services, geographic coverage, and
breadth and depth of offering. Cautious client behaviour and the
lengthening sales and onboarding cycles reported in December 2024
have impacted our first half results. This is also against a backdrop of
macro-economic uncertainty, IT and security budgets being under
scrutiny and competitive pricing.
We continue to see cyber resilience elevated as a core business risk
agenda item to the C-suite as opposed to a purely IT consideration.
Cyber continues to be elevated as a core business risk for boards, as
opposed to just an IT consideration. This pivot is most evident in highly
regulated verticals – financial services, healthcare, government and
critical infrastructure – where regulatory scrutiny and heightened director
liability is driving materially larger, multi-year security programmes.
Within Operational Technology (OT) in particular, full risk reviews and
resilience roadmaps are being commissioned as the potential business
interruption cost of an OT outage becomes clearer. Our global delivery
model ensures that these international operators can obtain expert support
around the clock, irrespective of time zone or geography. Strategically,
our global delivery engine is a differentiated and scalable service that
enables us to be competitive.
Ransomware remains widespread and we have seen a marked uplift
inAI-enabled phishing and double extortion campaigns, including the
more recent high profile retail sector cases in the UK. This evolving
threat landscape is leading organisations to favour Managed (Extended)
Detection and Response (MDR/MXDR) solutions that provide continuous
monitoring across endpoint, cloud, identity and OT telemetry. In addition,
businesses are requesting OT-specific MDR to counter the increase
inattacks against industrial control environments.
NCC Group named ‘Strong Performer’ in the 2025
Forrester assessment of European MDR providers:
tinyurl.com/5n8rc9uc
Regulatory momentum intensified across all our core territories and key
customer verticals. The EU Cyber Resilience Act and UK’s software and
AI security Codes of Practice will drive secure-by-design requirements
up the supply chain, while NIS2, DORA and sector-specific mandates
in energy and transport expand the range of organisations that must
evidence robust cyber controls and incident-reporting disciplines.
These developments are complemented by comparable moves in
theUS and APAC, signalling a global consensus for higherstandards.
Read our leading Global Cyber Policy Radar:
tinyurl.com/522my5vc
Demand for strategic advisory and independent validation against
these emerging frameworks is fuelling growth in our consulting and
assurance work across OT environments and heavily regulated industries.
NCC Group’s recognised contribution to the UK government’s cyber
resilience initiatives underpins our reputation as aleading provider
ofregulatory advisory and assurance services.
The UK Government’s Industrial Strategy
callsoutNCC Group as a company
exportingworld‑leading cyber solutions:
tinyurl.com/yefadasr
The worldwide shortfall in qualified cyber security professionals
continues to become more acute. This structural gap is most evident in
highly specialised skills, including advanced testing, OT and Identity and
Access Management disciplines. This is expected to drive outsourcing
tothird party Cyber Security services. Clients are relying on our global
delivery hubs to ensure around-the-clock expert coverage without inflating
their cost base as a cost of employment. Additionally, the strong reputation
that we have among cyber professionals positions us to attract talent
more easily than our competitors, with our academy/training ability
allowing us to further expand and strengthen this talent base.
Hybrid working and personal device policies have shifted the security
perimeter from the edge of the Enterprise network to the user and their
devices. Identity and Access Management and Zero-Trust architectures
are consequently commanding a growing share of security budgets.
This is further driven by requirements to demonstrate granular access
controls under NIS2 and other critical infrastructure regulations.
Ourdedicated Digital Identity service is supporting clients through
thistransition, covering strategy, implementation and day-to-day
identity operations.
Global market trends, threats and opportunities
NCC Group plc — Annual report and accounts for the year ended 30 September 202510

OT/IT Cyber Safety Webinar series
Between December 2024 and February 2025, NCC Group’s OT/IT
Cyber Safety Webinar series explored the critical intersection of IT
and OT cyber security convergence and the safety considerations
in industrial environments, addressing the unique challenges and
opportunities that arise when legacy operational technologies
meet modern digital systems amid rising cyber threats.
Watch our YouTube video serieshere:
tinyurl.com/4c6s96tm
Lastly, the attack surface is expanding, with cloud migrations accelerating,
SaaS proliferation and AI adoption continuing, and early discussions
ongoing regarding the implications of quantum computing. Each new
platform expands the potential for malicious attacks and reinforces the
need for security to be embedded earlier into development pipelines.
Demand is therefore rising for secure-by-design assessments, supply
chain software assurance and MXDR coverage that spans traditional
IT,cloud and OT environments. The breadth of clients we serve across
industries, geographies and IT and OT environments has allowed us to
build unique IP to help clients secure this expanding attack surface.
Global market trends, threats and opportunities
NCC Group’s
1000+
respondent survey reveals the
critical issues driving supply
chain security in 2025
45%
experienced a cyber security
breach in the prior 12 months
68%
of organisations expect the
severity and scale of supply
chain attacks to escalate further
59%
were concerned about visibility
over their supply chain
Read more: www.nccgroup.com/the-state-of-supply-chain-security
Key
2018 2019 2020 2021 2022 2023 2024 2025
2017
WannaCry
NotPetya
Political recognition of market failure
in Cyber Security
Period of heightened legislative and regulatory
activity to “make up for lost ground”
Commencement of
enforcement actions
Inflection point: the future trajectory
is yet to be set in stone
Legislative intervention
Scattered
Spider
Synnovis
EU NIS
EU GDPR
Australia
Security
of Critical
Infrastructure
Act
Singapore
Cybersecurity
Act
EU
Cybersecurity
Act
UK Product
Security
and Telecoms
Infrastructure
Act
US sector
regulations
UK
Telecoms
Security
Act
EU NIS2
EU Cyber
Resilience
Act
Australia
Cybersecurity
Act
UK Cyber
Security and
Resilience
Bill
Regulatory
settlement or
equilibrium as
cyber rules reach
saturation, and
increased mandated
baseline forms part
of “cyber toolbox”
in 21st century
Continued increase of
volume of cyber rules and
regulations, e.g. ransomware
payment bans, mandating
Cyber Essentials, etc.
Reduction in regulatory
requirements in the name
of growth, competitiveness
and innovation
© 2025 NCC Group. All rights reserved. Please see www.nccgroup.com for further details. No reproduction is permitted in whole or part without written permission of NCC Group. This content is for general purposes only and
should not be used as a substitute for consultation with professional advisers.
The NCC Group Cyber Security regulations maturity curve
©
2025 NCC Group. All rights reserved. Please see www.nccgroup.com for further details. No reproduction is
permitted in whole or part without written permission of NCC Group. Thiscontent is for general purposes only
and should not be used as a substitute for consultation with professional advisers.
Key
2018 2019 2020 2021 2022 2023 2024 2025
2017
WannaCry
NotPetya
Political recognition of market failure
in Cyber Security
Period of heightened legislative and regulatory
activity to “make up for lost ground”
Commencement of
enforcement actions
Inflection point: the future trajectory
is yet to be set in stone
Legislative intervention
Scattered
Spider
Synnovis
EU NIS
EU GDPR
Australia
Security
of Critical
Infrastructure
Act
Singapore
Cybersecurity
Act
EU
Cybersecurity
Act
UK Product
Security
and Telecoms
Infrastructure
Act
US sector
regulations
UK
Telecoms
Security
Act
EU NIS2
EU Cyber
Resilience
Act
Australia
Cybersecurity
Act
UK Cyber
Security and
Resilience
Bill
Regulatory
settlement or
equilibrium as
cyber rules reach
saturation, and
increased mandated
baseline forms part
of “cyber toolbox”
in 21st century
Continued increase of
volume of cyber rules and
regulations, e.g. ransomware
payment bans, mandating
Cyber Essentials, etc.
Reduction in regulatory
requirements in the name
of growth, competitiveness
and innovation
© 2025 NCC Group. All rights reserved. Please see www.nccgroup.com for further details. No reproduction is permitted in whole or part without written permission of NCC Group. This content is for general purposes only and
should not be used as a substitute for consultation with professional advisers.
Strategic report
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 11

A range of services and geographies
and breadth of offering
Our strategy
Strategic priority Progress in FY25 Future outlook
Link to risks:
Read more on our risks on pages29 to 37
Our clients
Deeper client engagement on the most
pressing Cyber Security and software
escrow needs
•
Appointed a CCO to align the global go-to-market strategy with
overall business objectives
•
Hired new Market Leads to drive and implement regional strategies
•
Redefined the global markets organisational structure to support
growth and enhance sales performance
•
Streamlined internal processes to sharpen focus on clients and
execution of the go-to-market strategy
•
Drive deeper penetration in financial services, insurance, healthcare, industrials
andpublic sector globally
•
If the potential sale of Escode does not occur, we will continue scaling Escode with
afocus on critical infrastructure and regulated sectors
•
Evolve Cyber Security sales model to ensure stronger linkage between sales
execution andservicedelivery
A
Strategy
B
Cyber and information security
D
People and partners
E
Market and competition
F
Brand and reputation
G
Quality and delivery
H
Legal, regulatory compliance and governance
Our proposition
Offering a broader service
portfolioaddressing the full
CyberSecurity lifecycle
•
Strengthened our Managed Services business by expanding client
adoption of our MXDR platform and adding enhanced detection
andresponse capabilities
•
Built momentum in Digital Identity and Operational Technology
practices, winning new client mandates
•
Continued to leverage technology partnerships to extend our
propositions and global reach
•
Drove margin improvement within Technical Assurance, particularly
in North America, through delivery model optimisation
•
Accelerate Managed Services growth and further differentiate our MXDR proposition
•
Continue scaling Digital Identity and Operational Technology practices into
coremarkets
•
Build repeatable propositions and intellectual property across Consulting
andImplementation to improve delivery efficiency and client impact
A
Strategy
B
Cyber and information security
C
Innovation and product development
D
People and partners
E
Market and competition
F
Brand and reputation
G
Quality and delivery
H
Legal, regulatory compliance and governance
Global delivery
Transitioning from an international
toafully global business
•
Rolled out global scheduling tool (Kantata) across all key regions,
improving resource visibility and planning
•
Manila office scaled significantly, now an established hub for delivery
and enabling functions
•
Introduced new ways of working within global delivery to improve
efficiency and management information (MI) for decision making
•
Continue embedding global delivery model to enhance utilisation and efficiency
•
Leverage shared service hubs for scalable and cost effective delivery
•
Develop global KPIs and dashboards to drive consistent performance management
across regions
A
Strategy
B
Cyber and information security
D
People and partners
G
Quality and delivery
Brands
Creating distinct and relevant
brandsfor our Cyber Security
andEscode businesses
•
Launched a distinct brand refresh for NCC Group Cyber Security
business while establishing and embedding Escode
•
Celebrated 25 years of cutting-edge research and delivered
market-leading thought leadership such as our monthly Threat
Intelligence series and global Cyber Policy Radar
•
Recognised by leading industry analysts such as Forrester, Gartner
and IDC citing our ability to solve complex security challenges with
trusted CISO partnerships
•
Build on increasing media share of voice (SoV) and continue to grow thought
leadership, research activity and industry engagement in cyber
•
Become the go-to Cyber Security and business resilience advisor to C-suite
andboards
A
Strategy
C
Innovation and product development
E
Market and competition
F
Brand and reputation
G
Quality and delivery
FY25 financial framework goals
View our financial results:
www.nccgroupplc.com/
investor‑relations/
results‑media
Sustainable revenue growth Improved gross margin Efficiency for growth Capital deployment supporting growth
•
Deliver underlying growth in Cyber Security
•
Increase Managed Services revenue as a proportion
oftotalCyberSecurity
•
Maintain momentum in Escode
•
Maintain utilisation %
•
Smart pricing and margin
investment decision making
•
Globalise technical
resourcefootprint
•
Simplify operating model to
generate efficiencies
•
Drive towards consistent profit
conversion in every market
•
Eliminate stranded costs resulting
from non-core disposals
•
Strong cash conversion
•
Ensure appropriate liquidity
anddebt facilities
•
Maintain dividend
•
Accretive acquisition opportunities
NCC Group plc — Annual report and accounts for the year ended 30 September 202512

Strategic priority Progress in FY25 Future outlook
Link to risks:
Read more on our risks on pages29 to 37
Our clients
Deeper client engagement on the most
pressing Cyber Security and software
escrow needs
•
Appointed a CCO to align the global go-to-market strategy with
overall business objectives
•
Hired new Market Leads to drive and implement regional strategies
•
Redefined the global markets organisational structure to support
growth and enhance sales performance
•
Streamlined internal processes to sharpen focus on clients and
execution of the go-to-market strategy
•
Drive deeper penetration in financial services, insurance, healthcare, industrials
andpublic sector globally
•
If the potential sale of Escode does not occur, we will continue scaling Escode with
afocus on critical infrastructure and regulated sectors
•
Evolve Cyber Security sales model to ensure stronger linkage between sales
execution andservicedelivery
A
Strategy
B
Cyber and information security
D
People and partners
E
Market and competition
F
Brand and reputation
G
Quality and delivery
H
Legal, regulatory compliance and governance
Our proposition
Offering a broader service
portfolioaddressing the full
CyberSecurity lifecycle
•
Strengthened our Managed Services business by expanding client
adoption of our MXDR platform and adding enhanced detection
andresponse capabilities
•
Built momentum in Digital Identity and Operational Technology
practices, winning new client mandates
•
Continued to leverage technology partnerships to extend our
propositions and global reach
•
Drove margin improvement within Technical Assurance, particularly
in North America, through delivery model optimisation
•
Accelerate Managed Services growth and further differentiate our MXDR proposition
•
Continue scaling Digital Identity and Operational Technology practices into
coremarkets
•
Build repeatable propositions and intellectual property across Consulting
andImplementation to improve delivery efficiency and client impact
A
Strategy
B
Cyber and information security
C
Innovation and product development
D
People and partners
E
Market and competition
F
Brand and reputation
G
Quality and delivery
H
Legal, regulatory compliance and governance
Global delivery
Transitioning from an international
toafully global business
•
Rolled out global scheduling tool (Kantata) across all key regions,
improving resource visibility and planning
•
Manila office scaled significantly, now an established hub for delivery
and enabling functions
•
Introduced new ways of working within global delivery to improve
efficiency and management information (MI) for decision making
•
Continue embedding global delivery model to enhance utilisation and efficiency
•
Leverage shared service hubs for scalable and cost effective delivery
•
Develop global KPIs and dashboards to drive consistent performance management
across regions
A
Strategy
B
Cyber and information security
D
People and partners
G
Quality and delivery
Brands
Creating distinct and relevant
brandsfor our Cyber Security
andEscode businesses
•
Launched a distinct brand refresh for NCC Group Cyber Security
business while establishing and embedding Escode
•
Celebrated 25 years of cutting-edge research and delivered
market-leading thought leadership such as our monthly Threat
Intelligence series and global Cyber Policy Radar
•
Recognised by leading industry analysts such as Forrester, Gartner
and IDC citing our ability to solve complex security challenges with
trusted CISO partnerships
•
Build on increasing media share of voice (SoV) and continue to grow thought
leadership, research activity and industry engagement in cyber
•
Become the go-to Cyber Security and business resilience advisor to C-suite
andboards
A
Strategy
C
Innovation and product development
E
Market and competition
F
Brand and reputation
G
Quality and delivery
FY25 financial framework goals
View our financial results:
www.nccgroupplc.com/
investor‑relations/
results‑media
Sustainable revenue growth Improved gross margin Efficiency for growth Capital deployment supporting growth
•
Deliver underlying growth in Cyber Security
•
Increase Managed Services revenue as a proportion
oftotalCyberSecurity
•
Maintain momentum in Escode
•
Maintain utilisation %
•
Smart pricing and margin
investment decision making
•
Globalise technical
resourcefootprint
•
Simplify operating model to
generate efficiencies
•
Drive towards consistent profit
conversion in every market
•
Eliminate stranded costs resulting
from non-core disposals
•
Strong cash conversion
•
Ensure appropriate liquidity
anddebt facilities
•
Maintain dividend
•
Accretive acquisition opportunities
Strategic report
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 13

Stakeholder engagement
Colleagues
We are a people-powered, tech-enabled business. Our colleagues worldwide all play a vital role in creating a more secure digital future.
Theirexpertise, commitment and innovation drive our success.
The opportunity
We’re committed to creating an environment where every colleague
can thrive and contribute meaningfully. This means:
•
Every colleague understands their impact and is connected
toourcommercial success
•
Managers invest time in their people, offering tailored support,
coaching and feedback to further unlock potential
•
Colleagues have resources and opportunities to succeed
andgrow
•
Expectations are clear and fair, supported by structured
performance management
How we listen and engage
Strong engagement underpins our inclusive, high performance
culture. Listening and acting on feedback is central to how
weoperate.
•
We enable regular, structured dialogue at all levels, from team
huddles to globaltownhalls
•
Managers play a pivotal role in engagement, dedicating time to
understand strengths, support growth and drive performance
•
Internal news platforms and collaboration tools keep colleagues
informed, connected and able to contribute in real time
•
We gather feedback through pulse surveys, listening sessions
andfeedback loops to shape policies and programmes
Highlights in 2024/25
•
Made people operations seamless: Unified global processes
and automated over 220 workflows to make it easier and faster
forcolleagues to get support
•
Accelerated leadership growth: Equipped senior and people
leaders with targeted development to boost performance and
leadership maturity
•
Built talent foundations: Rolled out consistent job levels
withenhanced clarity around expectations for each level of role,
and designed new frameworks to support internal mobility
Clients
Rooted in our sector knowledge, we develop solutions tailored to the unique needs of our clients. Bringing our in-depth understanding of the
threat and regulatory landscape, we assist our clients in addressing their complex cyber security challenges.
The opportunity
•
Shift the transactional business to a subscription model, enabling
sales teams to prioritise long-term client value and deeper
engagement over short-term outcomes
•
Refresh the go-to-market portfolio to better meet customer needs,
enhance solution relevance and drive stronger business impact
•
Leverage our expertise in AI and language models to support
customers in their integration journeys
•
Utilise our world-class Managed Services capabilities to enhance
customers’ visibility and control over their assets and data
How we listen and engage
•
Through an integrated account management strategy and
value-driven quarterly business reviews
•
Client satisfaction surveys and a formal global process are used
tocapture client feedback, ensuring a closed-loop response
Highlights in 2024/25
•
Established a new global and regional leadership team to drive
effective strategy implementation
•
Launched new Cyber Security business branding, strengthening
market recognition and reinforcing our position as a trusted
partner in Cyber Security
•
Introduced new Managed Services branding (iMXDR) and
refreshed proposition, with an updated go-to-market strategy
thatdifferentiates us in the market
•
Reviewed and redesigned data, processes and tools to improve
internal insight, streamline operations and enable faster
mobilisation at enhanced margins
Investing in stakeholder
engagement
We have a responsibility to listen to our stakeholders,
understand their priorities and apply insights and learning
toguide how we make important decisions.
NCC Group plc — Annual report and accounts for the year ended 30 September 202514

Link to strategy:
Our clients Our proposition Global delivery Differentiated brands
Suppliers
Network
We engage with many different suppliers across our global business and value the critical role our supply chain plays in supporting responsible
business operations. Our procurement operations are maturing in line with industry best practice and we proactively work withan optimised
supply chain network to drive competitive advantage through accessing innovation, delivering commercial value and managing risk.
The opportunity
•
Long-term trusted partnerships, facilitating sustainable operating
cost reduction and cost of sale margin improvement
•
Fit for purpose contracts and payment terms, ensuring a safe,
compliant and responsible supply chain with suppliers delivering to
required service levels and protecting NCC Group from long-term
commercial inflation
How we listen and engage
•
Regular joint business reviews held with key suppliers to mutually
understand strategy and future forecasting
•
Supplier due diligence completed at onboarding
Highlights in 2024/25
•
Implemented Workday Strategic Sourcing to centralise
investmentrequests
•
Introduced Investment Control Board (ICB) weekly review to
understand and challenge investment requests to ensure either
enabling revenue or reducing cost
•
New global procurement strategy launched to enable revenue,
control costs and manage risk
•
Launch of new travel supplier to improve colleague experience
and safety, reduce costs and accommodate diverse requirements
•
Investment in a transactional team based in Manila to develop
intoPurchase to Pay (P2P) specialists, collaborating with finance
to drive supplier payments on time and improve the supplier
experience, releasing working capital down the supply chain
Our expertise plays a pivotal role in shaping evidence-based policy decisions and convening the cyber community. We proactively engage,
contribute to public-private partnerships and harness our experience and insights to contribute meaningfully towards a more secure digital society.
The opportunity
•
Building on our technology heritage and our role as a trusted
advisor to governments and regulators we provide independent,
technical expertise toimprove cyber resilience policies
•
By understanding and shaping new and emerging regulations and
policy proposalswe can develop the right solutions to prepare for
our clients’ future needsand requirements
How we listen and engage
•
Building alliances with global think tanks and foundations, public-
private partnerships, trade associations and campaign groups to
pool resources, amplifyour messages and maximise impact
•
Strategic relationships with national technical authorities, and
support for government initiatives across all our regions through
direct engagement
•
Representation on senior government and parliamentary
advisorypanels
Highlights in 2024/25
•
Cited in the UK government’s Industrial Strategy for cyber industry
growth and chosen for cyber resilience at the 2025 NATO Summit
•
Recognised as a key convener of the UK cyber community through
collaboration with the National Cyber Security Centre and
contributing to Project Melissa – a leading public-private partnership
in the Netherlands to combat ransomware threats in Europe
•
Published the Global Cyber Policy Radar Report, providing
insights on global cyberregulations
•
Influenced global cyber policy by speaking at top conferences
andbriefing EU leaders and providing evidence to UK parliament
on public-private partnerships
Shareholders
We are committed to engaging with our shareholders, creating an opportunity to understand our business, the market, how we are responding
and the opportunity to deliver sustainable growth.
The opportunity
•
Financial performance
•
Dividend
•
Responsible long-term sustainable strategy
•
Sound corporate governance and stewardship
How we listen and engage
•
Strategic and financial updates issued via RNS Reach and
RNSrespectively
•
Regular meetings with investor relations, management and
Boardmembers
•
Investor roadshows after the full and half-year results
•
Open-door policy with investors and analysts (taking into account
“offer period” restrictions and protocols)
•
AGM
Highlights in 2024/25
•
Hosted a live in-person Capital Market event to help investors
andfinancial analysts understand what happens in a cyber attack
and how to respond
•
Completed the disposal of Fox Crypto B.V. for total gross
consideration of£65.6m to CRGroup Nordic AB
•
Marked 20 consecutive years of dividend payments for shareholders
•
Announced a share buy-back programme
Strategic report
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 15

P
e
o
p
l
e
l
e
d
,
t
e
c
h
n
o
l
o
g
y
e
n
a
b
l
e
d
A
c
t
i
o
n
o
n
c
l
i
m
a
t
e
A resilient future
We strive for a resilient future through
sustainable business practices, and take
responsibility for identifying and managing
theimpact we have on people and the planet.
Sustainability
Responsible
business priorities
Strong governance and
ethicalstandards
Leading cyber resilience and
dataprotection standards
Stakeholder collaboration
Responsible employer and
supply chain partner
Optimise talent
Enhance
colleague
experience
Build an
inclusive
culture
Develop
sustainable
solutions
Decarbonise
energy use
Support the net
zero transition
Our sustainability strategy
People-led, technology-enabled
We can only lead with our purpose through
ourgreatest asset, the exceptional people
weemploy. They are at the forefront of our
industry, developing solutions that protect
ourclients and society from the growing
threatof cyber crime.
Responsible business
Our desire to improve the world we live in
isencapsulated in our purpose. Embedding
responsible business into our everyday
activities is central to achieving this aim.
Action on climate
Taking urgent action to combat climate
changeand its impacts supports our purpose.
Decarbonising our business and embedding
climate considerations into our commercial
offering are crucial elements in our support
forthe net zero transition.
Read our Sustainability Report:
nccgroupplc.com/sustainability
NCC Group plc — Annual report and accounts for the year ended 30 September 202516

2024/25 highlights
•
Enhanced our colleague benefits, including the launch of an
improved Employee Assistance Programme in Europe.
•
Published our draft Carbon Reduction Plan and launched our
verifiedCarbon Literacy Training programme.
•
Successful migration of Fox-IT onto the NCC Group certification
forISO9001:2015 and ISO27001:2022, resulting in a reduction
ofoverall costs and consistent ways of working.
Why sustainability matters
Sustainability is about doing the right thing in the right way, and this is
reflected in our Code of Ethics and embedded into our everyday ways
of working. It’s important to our clients, who trust us to help secure their
digital assets; it’s important to our colleagues, who are critical to the value
we bring to our clients; and it’s important to our shareholders, who entrust
their investments to NCC Group, relying on us to deliver returns to their
shareholders. It also matters to our political stakeholders who turn to
usfor trusted and independent advice and insights that improve cyber
rules and regulations around the world.
We live in a rapidly evolving digital world, where the concept of
sustainability extends to how we operate in totality. Not only are we
supporting our clients to meet their governance requirements through
our cyber security and escrow solutions, we are also helping to
advance technologies that are at the forefront of fighting climate
change, as well as other UN Sustainable Development Goals.
This means systems, networks and infrastructures need to be resilient,
secure and long lasting. Cyber Security and sustainability are inherently
intertwined, which means cyber threats pose a significant risk not only
to individual businesses but to our very way of life too. The decisions
wemake today have far-reaching implications for the future.
Securing our future
As our lives become more digitally interconnected, the risk landscape
broadens. From smart homes to smart cities, from online banking to
telehealth services, from power grids to water supplies – they all rely on
complex digital infrastructures. If these systems are compromised, the
repercussions can be devastating. Hence, securing these infrastructures
is an essential part of ensuring a sustainable future.
Our ability to protect against cyber threats, through the work we do for
our clients, plays a pivotal role in guaranteeing that our world remains
functional, reliable and consistent for generations to come. Indeed, we
believe strongly that we can’t build a resilient economy without resilient
cyberspace, and we can’t have a resilient cyberspace without 21st century
laws and an infrastructure to tackle cyber threats, which is why we
share our expertise with policymakers to improve cyber rules and
regulations meaningfully.
Our sustainability framework
While the primary focus of our industry has always been about security,
we recognise our operations have a broader environmental and societal
impact. Our sustainability framework has two core tenets focused on
people and the planet, underpinned by being a responsible employer
and supply chain partner.
This framework is the foundation to start making tangible progress in
addressing material topics for our stakeholders. We believe that this is
ajourney, not a race. We place sustainability at the heart of our strategy
– not just securing the digital world, but securing the future for ourselves
and for generations to come.
We invite our stakeholders to join us, working together to build a future
that is not only secure but also sustainable.
If we are to meaningfully reduce our
carbon footprint weneed to engage
ourstakeholders in the conversation
Building on our partnership with Positive Planet, and as part
ofdeveloping our Carbon Reduction Plan, we designed and
hadcertified our own Carbon Literacy Training programme. This
certified, one-day programme will enable us to build knowledge
around the business of what the climate crisis is, and what wecan
do individually and collectively to take action to reduce the impact
wehave.
The first cohort of delegates on this course included Lynn Fordham,
our Non-Executive Director responsible for Sustainability; Guy Ellis,
Chief Financial Officer; and Michelle Van de Velde, ChiefPeople
Officer, along with seniormembers of the procurement, communications
and marketing, HR and sales and technical deliveryteams.
Over 400 colleagues have signed up to undertake the course,
andwe have developed our own certified in-house training
capability to do this.
VIEWPOINT
Strategic report
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 17

Non-financial and sustainability
information statement
Sustainability continued
View our Sustainability Report: nccgroupplc.com
The following table provides readers with an index of where to further find relevant non-financial
information within this Annual Report and Accounts, in line with the Financial Reporting Directive
requirements contained in sections 414CA and 414CB of the Companies Act. Where relevant,
additional information is signposted to further support the requirements.
The Group considers that it complies with the disclosure requirements under section 414CB(2A)
of the Companies Act 2006 and has included climate-related financial disclosures that are
partially consistent with the TCFD recommendations.
Reporting topic
Policies and standards
which govern our approach
Annual Report and Accounts
sectionreference Page Website resources
Climate-related
disclosures
•
Environmental policy
•
Sustainability Report
•
TCFD Report
•
Risk Management
•
Stakeholder Engagement
22
29
14
•
Sustainability Report
•
Streamlined Energy and
CarbonReport
Colleagues
•
Whistleblowing policy
•
Code of Ethics
•
Disciplinary Policy
•
Grievance Policy
•
Sustainability Report
•
Stakeholder Engagement
•
Remuneration Committee Report
•
Culture
14
81
19
•
Sustainability Report
Social and
communitymatters
•
Modern Slavery Statement
•
Code of Ethics
•
Supply chain Code of Conduct
•
Giving back policy
•
Matched funding policy
•
Sustainability Report
•
Stakeholder Engagement
14
•
Sustainability Report
Respect for
human rights
•
Modern Slavery Statement
•
Data privacy policy
•
Global equal opportunities
anddiversity policy
•
Sustainability Report
•
Stakeholder Engagement
•
Culture
14
19
•
Sustainability Report
Anti-bribery
andcorruption
•
Anti-bribery and corruption policy
•
Gifts and entertainment policy
•
Sustainability Report
•
Audit Committee Report
71
•
Sustainability Report
For information on our business model please see pages 8 and 9
For full details of the Group’s principal risks see pages 29 to 37
NCC Group plc — Annual report and accounts for the year ended 30 September 202518

Our people
At NCC Group we embrace difference and are connected by our purpose to create a more
secure digital future. Across our global operations we form a phenomenal network, working
together, collaborating and innovating to support our clients.
We are guided by our Code of Ethics and our values, which define our behaviours – treating
everyone and everything with respect. This is the foundation of our culture, and we strive to
create an environment where everyone is welcome, feels safe and can be successful.
Progress in 2024/25
•
Continued investment in leadership and management
development with leadership development rolled out
acrossthe organisation, and additional manager-focused
development sessions
•
Enhanced our colleague benefits, including the launch of
animproved Employee Assistance Programme in Europe
•
Enhanced focus on actions resulting from colleague
engagement survey feedback
A global team
As of 30 September 2025, we have 2,073 colleagues (including
contractors) across the world supporting our clients, made of three
core groups – Sales, Delivery and Enabling Functions. Circa 98%
ofcolleagues are permanent and the remainder are contractors to
provide support on projects.
People-powered, technology-enabled
We want everyone here to feel safe – psychologically, emotionally and
physically – so they can be themselves, share their experiences and
have equal opportunities to succeed. Our team reflects the diversity of
the world around us, and this is how we live our values: working together
and being brilliant.
Our approach to diversity, equity and inclusion (DE&I)
We acknowledge our opportunities to contribute to diversity in the
technology sector, with inclusion and diversity principles incorporated
into our hiring and talent management processes. To further support
DE&I, we’ve formed partnerships with external organisations such as
Disability Confident and the Business Disability Forum in the UK to
increase accessibility, not only for our current colleagues, but also a
broader candidate pool.
Unconscious bias training is included as part of our Global Onboarding
programme via a specific session entitled “Working Across Cultures”.
Furthermore, through our Manager Skills Boost sessions we reiterate
the importance of awareness of unconscious bias in support of
diversity, equity and inclusion. All colleagues complete the ethics
module as part of our mandatory annual compliance training, which
includes dignity and respect at work. We continue to support our core
colleague resource groups (gender, LGBTQIA+, neurodiversity,
accessibility, and race and ethnicity) to provide input on workplace
practices, engagement, education and representation for
under-represented communities across our global business.
As of 30 September 2025, the Board of Directors comprised four
males and three females. The wider Group employed 554 females,
1,444 males and 94 individuals whose gender was not disclosed.
For the purpose of this disclosure, the Group defines its senior
management as the Executive Committee, which consisted of four
males and three females as of 30 September 2025. These figures
for the Executive Committee include colleagues who also serve as
statutory directors of subsidiary companies, where relevant.
Talent development
Innovation and continuous learning are central to NCC Group’s culture,
supported by investments in skill development and leadership growth,
fostering personal and professional development through structured
programmes and new digital platforms to enhance colleague
capabilities globally.
We combine on-the-job learning, mentoring, self-study and formal
training with personal development plans, supporting colleagues to
gain certifications and advance their careers. In England, we leverage
the Modern Apprenticeship Levy, with 4.3% of our colleague population
undertaking apprenticeship learning – an increase of 60% of eligible
colleagues year on year. FY25 was the first year we partnered with
Co-op Levy Share to donate our excess levy funds, pledging £150k
over the next two to three years. Currently, we’re supporting eight UK
employers and 21 learners, with donations to date totalling £27k.
We continued to invest in our leadership and management populations,
and by June 2025 had delivered Enabling Performance, our Leadership
programme, to 75 leaders and managers across the Group, including
73% of our senior leaders. Throughout FY26/FY27 we plan to upskill
specific leaders and people team colleagues to enable us to roll out this
programme across the remainder of the senior leaders and our middle
manager population.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 19
Strategic report

Talent development continued
In October 2024, we launched our Skills Boost series, available to all
leaders and managers globally. These 90-minute, virtual sessions focus
on key leadership skill areas, e.g. effective performance management,
leading cross-culturally, and leading through change. Where relevant,
we replicated models from Enabling Performance, e.g. clean talk for
difficult conversations and the GROW model for coaching. In FY25,
wedelivered 66 sessions across six key skill areas, with 943 individual
attendances, and circa 40% ofleaders and managers regularly attending
sessions. Across all sessions, feedback is collected via an online form,
including an NPS-specific question: “Would you recommend this session
to your colleagues at NCC Group?” All sessions secured an “excellent”
(+70–100) NPS score.
In July 2025 we launched our Compass Management Development
programme, leveraging Saville leadership profiling to offer a dedicated
learning pathway focused on self-awareness through a series of virtual
and face-to-face workshops building leadership capability, supplemented
by group coaching and mentoring to enable colleagues to embed their
learning into their day-to-day roles. Workshops are delivered in concentrated
cohorts of 12–15 delegates to facilitate a semi-personalised programme
and are available to colleagues in people manager roles with less than
two years’ experience. Following the launch in the final quarter of FY25
we engaged 25 attendees across two cohorts.
We launched our first Learning Experience Platform, Spark, in April 2025,
and while it’s still being embedded, 93% of colleagues have engaged
with content on the platform to date.
In FY25 we facilitated a talent review to identify potential successors to the
Executive Committee. The five leaders identified worked with our partner,
Saville Assessment, completing Saville Wave and 360 Leadership Impact
assessments, and creating a talent profile outlining their strengths and
areas for development. They will be supported on their development,
withregular one-to-one meetings with their Executive Committee member
and Talent Development partner to discuss progress. To date, two of the
five leaders have advanced into more senior roles, with one joining the
Executive Committee.
Engagement
We have several mechanisms to measure colleague engagement
(seepage 14), including MyVoice, our biannual engagement survey
using the Viva Glint platform. In our March 2025 survey, 1,489 colleagues
responded, an increase in our engagement score of two points
fromMarch 2024.
In addition to the survey, Senior Non-Executive Director Julie Chakraverty
hosts quarterly Colleague Listening Sessions, ensuring the Board has
adirect link to colleagues and decision making takes into account their
voices. In FY25, over 80 colleagues met with Julie, who in turn reported
feedback to the Board.
Speaking up
Colleagues have a number of opportunities to speak up – sharing
feedback or raising concerns. A global Speak Up framework outlines
channels and resources available for doing this, guidance on who
toengage with on different types of feedback, and how to ensure
confidentiality. A whistleblowing helpline and policy are also available
– the policy is published in multiple languages on our website.
This ensures colleagues are encouraged to speak up, safe from fear
ofreprisals, and with the reassurance that any concerns will be listened
to and acted on appropriately.
Sustainability continued
Enhancing the colleague experience through competitive reward and wellbeing propositions
Each country we operate in has its own prevailing market conditions, and as such we align our benefit and wellbeing propositions locally, while
ensuring they are competitively benchmarked, enabling us to retain and attract the best talent. Our Global Benefits Strategy focuses on four
key pillars aligned with colleague feedback and global best practice:
Continually reviewing our reward offering in each country ensures
weretain and attract the best talent. In FY25, we built on our reward
offering to remain competitive, including:
•
In Canada we changed the pension provider, with lower
management fees, which means greater levels of investment
forcolleagues.
•
In Manila, we launched our Philippines Share Plan to all colleagues
post-probation and expanded our medical offering to dependants,
helping to retain and attract colleagues in a competitive
marketplace.
•
Across Europe, we enhanced our Employee Assistance
Programmes, providing enhanced health and wellbeing
supporttoall.
•
In the UK we rolled out our health cash plan, providing all
colleagueswith financial support to access dental, optical
andmedicaltreatments.
Finance and
protection
We understand the importance of financial
stability benefits to support colleagues
when making choices about their and their
families’ current and future financial status.
Investment
and savings
Our strategy supports colleagues in
planning for the future, enabling them
through different investment options to
strengthen their financial wellbeing.
Health and
wellbeing
We’re committed to fostering a culture
ofwellness by offering preventative
andsupportive resources, programmes
andinitiatives that promote healthy
lifestyles, family-work-life balance,
andstressmanagement.
Lifestyle and
flexibility
We recognise the importance of
maintaining a healthy work-life balance
and offer flexible work arrangements,
paidtime off and family friendly policies.
To find out more about our support of colleagues, please see our sustainability strategy on page 16
NCC Group plc — Annual report and accounts for the year ended 30 September 202520

Action on climate
We’re committed to taking proportionate climate action as a responsible
employer, a trusted supply chain partner, and a business focused on
long-term value creation for all stakeholders.
Progress in 2024/25
•
Published our draft Carbon Reduction Plan
•
Working with Positive Planet, designed and launched NCC
Group’s own certified Carbon Literacy Training programme
and launched annual and onboarding mandatory climate
action training for all colleagues
•
Partnered with Climategames to fund climate action projects
through our wellbeing initiatives
In addition to our support of the net zero transition (read more on our
sustainability strategy at nccgroupplc.com/sustainability), our action on
climate has three pillars, starting with our own operations and extending
to the support we give to clients operating in the energy transition
sector and the contribution we make to their endeavours:
•
Supporting the net zero transition
•
Decarbonising energy use
•
Developing sustainable solutions
The biggest impact occurs in our business travel, both for client and
non-client related travel, and our leased office spaces and is the focus
for our reporting.
Decarbonising energy use
Our total annual Scope 1 and 2 emissions associated with our business
operations were 1,232 tCO
2
e for our full year 2025. See page 28 for
further detail.
We continue to review our leased office space requirements, considering
client and colleague needs. Considerations are given to collaboration,
health and safety, personal wellbeing and the impact emissions have on
the environment. This includes taking into consideration commuting for
colleagues and the accessibility of publictransport networks.
We review office usage monthly as part of the executive team
operations review, which, alongside colleague feedback and
engagement, and consideration of client needs, informs the real
estatestrategy.
On travel, all colleagues are required to book through our travel partner,
Gray Dawes. This provides us with global tracking and improves our
data collection for emissions as well as improving how we respond to
any social or climate-related issues that colleagues may face.
Domestic flights within the UK and European countries are by exception
only, with rail travel the preferred option. As a result, any train journey
more than three hours in duration in total is travelled by first class to
ensure the health, safety and wellbeing of colleagues.
Climategames partnership
During the financial year, we partnered with
Climategames, bringing both wellbeing and
climate action together to engage
colleagues and give back.
We chose to invest in two projects – a sea kelp
forestation initiative off the coast of British
Columbia, and a social enterprise in Asia,
including the Philippines, that prevents plastic
from entering the ocean in the first place.
In the initial launch during the summer of
2025 we funded the equivalent of planting
1,020 trees and removing 16.1kg of plastic
from the ocean.
Financial donations are made in return for
colleagues taking part in physical challenges
– from Group activities to local and team-based
events. This is a great way to engage
colleagues in our climate action activities as
well as facilitating wellbeing conversations.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 21
Strategic report

In alignment with the UK Listing Rules, which mandates climate-related
disclosure for all UK listed companies, we have produced a comprehensive
TCFD Report. Our report covers the four pillars recommended by
TCFD: governance, strategy, risk management and metrics/targets,
and the 11 disclosures recommended by TCFD except as noted below.
To ensure consistency across our report, we adhered to section C
ofthe TCFD Annex, titled “Guidance for All Sectors”.
As a result the following are documented as partially consistent, with
further detail available within this report:
•
Strategy B and C – these disclosures have not been fully met
duetoprioritising drafting our Carbon Reduction Plan, which will use
FY25 as our baseline year to enable reduction targets aligned to
science-based targets.
Our assessments indicate a low risk of exposure to physical and
transitional climate changes, thanks to our business model. However,
we acknowledge the high importance of mitigating greenhouse gas
emissions, which emerged as a priority from stakeholder feedback as
part of our “ongoing assessment” of double materiality in accordance
with European Sustainability Reporting Standards.
In FY25 we appointed a new partner – Positive Planet – to support the
design and publication of our global Carbon Reduction Plan and to
calculate and verify our GHG emissions.
We recognise the considerable opportunities presented by the growing
climate-focused market. Our collaborations with clients in industries
such as electric vehicles, renewable energy, Operational Technology
and other climate-friendly technologies underscore our readiness to
seize these opportunities for sustainable growth.
Task Force on Climate-related
Financial Disclosures (TCFD)
Governance
TCFD recommended disclosure Consistency NCC Group disclosure Focus area of FY26
Governance
A. Describe the Board’s
oversight of climate-
related risk and
opportunities
Consistent
•
The Board’s Head of the Audit Committee is the lead
Non-Executive Director responsible for sustainability.
Monthly updates are provided via the CFO report to
the Board as well as directly from quarterly meetings
with theVP, Investor Relations and Sustainability and
the leadNED, including an update on progress against
theGroup’s goals and targets where appropriate
•
The Board takes overall accountability for
themanagement of climate-related risks and
opportunities and considers them as part of
itsoverall risk reviewprocesses
•
Introduce reporting aligned
tothe Carbon Reduction Plan
targets to reflect, discuss and
ensure actions are being taken
B. Describe the
management’s role in
assessing and managing
climate-related risks
andopportunities
Consistent
•
The VP, Investor Relations and Sustainability reports
to the Chief Financial Officer, providing advice and
updates to the Executive Committee on climate-
related issues as and when relevant
•
An Executive Risk Management (ERM) Committee
meets quarterly and addresses any climate risks as
part of that process where appropriate
•
Roll out Climate Literacy
Training to all ExCom members
and senior leaders during FY26
•
Continue to embed
climateaction into key
businessdecisions
•
Assign accountabilities and
track progress resulting from
the Carbon Reduction Plan
Lynn Fordham, the lead Non-Executive Director for Sustainability, was
appointed by the NCC Group Board Chair. In addition to her position as
the Head of the Audit Committee, Lynn’s role is to oversee the Company’s
sustainability strategy, ensure its integration with the overall business
strategy and provide regular sustainability updates to theBoard.
While there is no specific Board committee for environmental issues,
anExecutive Risk Management (ERM) Committee chaired by the SVP,
Global Governance, Procurement and Estates addresses these issues.
The ERM meets bi-monthly and is attended by our CEO and CFO.
Itdiscusses, among other risks, sustainability and environmental
challenges where relevant, which are then reported to the Board.
The results from our ongoing double-materiality assessment continueto
inform our sustainability framework. With the changes in requirements
for CSRD and the fact our business operations are not in scope for the
foreseeable future, we do not intend to report voluntarily against the
standards. We will continue to review and assess to ensure we can bid
competitively for work within Europe.
The Board is committed to communicating its dedication to addressing
climate change. By way of example Lynn Fordham along with Guy Ellis,
CFO, attended NCC Group’s inaugural Carbon Literacy Training and
received their certification in August 2025. They continue to champion
training and action in their respective roles.
Sustainability continued
NCC Group plc — Annual report and accounts for the year ended 30 September 202522

Strategy
TCFD recommended disclosure Consistency NCC Group disclosure Focus area of FY26
Strategy
A. Describe the climate-related
risks andopportunities the
organisation has identified
over the short, medium
and long term
Consistent
•
See the tables below and on page 24 describing
risks and opportunities, which were selected based
on the location of our existing business and known
climate change risks affecting the broader region
we operate in
•
Monitor actions arising from
theriskregister
B. Describe the impact
ofclimate‑related
risksandopportunities
onthe organisation’s
business strategyand
financial planning
Partially
consistent
•
Climate-related taxes, or fines for non-compliance,
could impact the business if we fail to take action
•
Our ability to raise capital to invest in growth may be
restricted if we fail to make progress on climate-
related action, if this is a requirement of any future
sustainable lending requirements
•
Assess financial implications
ofclimate scenarios in our
financial planning
C. Describe the resilience
ofthe organisation’s
strategy, taking into
consideration different
climate-related scenarios,
including a 2°C or
lowerscenario
Partially
consistent
•
We have conducted an initial quantitative analysis
against two scenarios of 1.5°C and 4°C
•
Develop initial scenario analysis
and integrate into NCC Group’s
strategy development through
implementation of the Carbon
Reduction Plan
Our focus is not limited to risk mitigation but extends to exploring opportunities where we can make a positive impact. This includes improving the
energy efficiency of our operations, collaborating with our landlords and requesting renewable energy sources, and identifying ways our technology
solutions can contribute to our clients’ sustainability efforts. As we continue our climate change journey, we are committed to regularly reporting our
progress against these objectives, showing transparency in our endeavours, and constantly seeking ways to better our efforts.
Climate-related risks
Our comprehensive risk management framework (summarised in the
Risk Management section of the Annual Report on pages 29 to 37) is
instrumental in identifying and assessing climate-related risks. We
categorise these risks into:
•
Short term (less than one year) – based on short-term regulatory
or policy changes impacting climate-related risks and opportunities
as well as existing forecasting processes considered by management
which are reviewed and evaluated on an annual basis
•
Medium term (one to five years) – based on regulatory changes
that may affect climate-related risks and opportunities
•
Long term (more than five years) – based on the likely timeline
ofinternational agreements and commitments, technological trends
and changes to policy or carbon pricing and their impact on our
operations, client services and supply chain
For instance, short-term risks might include immediate regulatory
changes or extreme weather events, while long-term risks could be
major shifts in our industry driven by the transition to a low carbon
economy. Each identified risk is paired with corresponding mitigation
measures, such as implementing energy-efficient technologies or
diversifying our supply chain, aimed to reduce our vulnerability.
It’s critical that we remain flexible in our approach but focused on taking
responsibility for the emissions we generate and seek to reduce what
we can control.
While these risks apply to the Group as a whole, we do recognise that
certain locations face unique challenges. For example, our operations
in coastal areas are more susceptible to rising sea levels and increased
frequency of extreme weather events.
For a more detailed understanding of the climate-related risks and
opportunities we face, please refer to the table below. It provides a
snapshot of the specific challenges we’re addressing and the strategic
responses we have undertaken.
Risk Risk impact
Short/medium/
long term
Regions
impacted Mitigating activities
Physical risks
Extreme weather
(acute)
Causing business disruption and loss of
service delivery if colleagues or clients
are impacted adversely, which would in
turn potentially impactrevenue
Short to medium
term
All but
particularly
Europe
(Rijswijkand
Amsterdam)
•
Business interruption cover
•
Business continuity plans
•
Remote working in place
•
Dutch flood defences in place
Sea level rises
(chronic)
Increased likelihood of flooding in
Delftand Amsterdam offices causing
increased insurance premiums to
mitigate against business interruption
and material loss
Long term Europe
– Rijswijkand
Amsterdam
offices
Strategic report
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 23

Sustainability continued
Risk Risk impact
Short/medium/
long term
Regions
impacted Mitigating activities
Transition risks
Increase in taxes
and levies for
greenhouse gas
emissions
Increased costs to implement control
and monitor/measurement processes
as well as actual cost of taxes
andlevies
Medium term Depends
onlocal
legislation
•
Implement actions identified in our
Carbon Reduction Plan and monitor
Move to net zero Increased costs required to
loweremissions
Long term Global
•
Remote delivery of client services
where possible
•
Green car scheme for UK colleagues
•
Annual calculation of Scope 1 and 2
emissions and a Carbon Reduction
Plan in place
•
Rigorous and transparent budget setting
will identify increasing costs associated
with carbon emissions reduction
Margin risk Impact on results due to extra costs
incurred tolower emissions
Medium term Global
•
Accounting policies regularly reviewed
•
Rigorous and transparent budget setting
will identify increasing costs associated
with carbon emissions reduction
Reputation risk Increased stakeholder concern and
changing client behaviours
Medium term Global
•
Rolling out Carbon Literacy Training to
colleagues, starting with key decision
makers and senior client-facing
colleagues to empower them to
engagein the conversation
•
Ongoing dialogue with investors
•
Participation in reporting frameworks
such asCDP, EcoVadis, FTSE4Good, etc.
•
ESG information publicly available
Supply chain risk Substitution of existing products and
services with lower emission options
Medium to long
term
Global
•
Building climate change reporting
andactivity intosupplier onboarding
•
Business continuity plans
•
Continuing to review our estate
provision and taking steps to move
outof leases where there isno client
orbusiness benefit to being there
•
Implementation of our estates policy,
which incorporates environment
considerations alongside the health,
safety and security ofcolleagues
TCFD continued
Climate-related risks continued
Resource efficiency: By embracing more efficient modes of transport,
promoting recycling, encouraging hybrid working models and operating
within efficient buildings, we can lessen our environmental footprint,
improve colleague satisfaction and reduce operational costs. For instance,
removing unnecessary travel not only reduces our carbon emissions
but also empowers colleagues with more control over their work-life
balance, contributing to improved morale and productivity (anticipated
medium to long-term benefits).
Energy source: Our transition to lower emission energy sources,
underpinned by our electric/hybrid car scheme for all UK colleagues,
demonstrates our commitment to sustainable practices. By giving
colleagues access to green car options, we are mitigating our exposure
to future fossil fuel price fluctuations and regulations. It also addresses
our colleagues’ material concerns, fostering a culture of environmental
responsibility and enhancing overall job satisfaction (medium to
long-term impact).
Market: As industries evolve in response to climate change, we’re
strategically positioned to leverage these transformations. For example,
by partnering with companies transitioning to alternative energy
sources or working on projects involving smart meters, electric
vehicles, IoT technology for waste reduction and cloud data centres,
weanticipate strengthening our market position and enhancing our
reputation as a sustainable and innovative enterprise (short to
medium-term outlook).
Resilience: Our sustainable business model increases our resilience
toclimate-related risks, demonstrating our commitment to being a
responsible and ethical supply chain partner. This commitment to
sustainability not only aligns us with an increasingly eco-aware market
but also empowers us to lead in the space, fostering a culture of innovation
and responsible business practices (short to long-termperspective).
NCC Group plc — Annual report and accounts for the year ended 30 September 202524

Risk type Risk Risk impact Scenario
Short-term risk
(<1 year 2025)
Medium-term risk
(1–5 years 2026 to 2031)
Long-term risk
(>5 years 2031)
Physical
risk
Rising sea
levels
Risk to NCC Group offices
located in high risk areas, as well
as colleagues’ homes and clients’
business premises, resulting in
business disruption
1 Low Low High
2 Low High High
Transition
risk
Increase in
taxes and levies
Disruption and increased
coststoensure compliance
withnew legislation
1 Low Medium High
2 Low Low Low
Margin risk Impact on results due to extra
costs incurred to lower emissions
1 Low Medium High
2 Low Low Low
Reputation risk Increased stakeholder concern
and changing client behaviours
1 Medium High High
2 Low High High
Supply chain risk Substitution of existing
productsand services with
loweremission options
1 Low Medium High
2 Low Low High
Scenario analysis
To understand the risks and opportunities our business faces
considering climate change, we conducted a quantitative scenario
analysis using two distinct scenarios: a “<2°C” scenario (“Scenario 1”),
where global warming is limited to less than 2°C with net zero achieved
by 2050, and a “4°C” scenario (“Scenario 2”), where the goal of net
zero by 2050 is not reached. A summary of the scenarios selected
isprovided in the diagram below.
These scenarios are chosen to reflect the diverse spectrum of
possibilities that could unfold due to different levels of global effort to
curb climate change. In the context of these scenarios, “transition risks”
refer to the challenges associated with the shift towards a lower carbon
economy, while “physical risks” denote the potential damage caused by
climate change itself.
In terms of the risks selected, these were based on physical locations
and the nature of our business in key locations of North America, the
UK, Europe and Asia Pacific. We are in the process of flowing this into
our financial planning and will continue to do so as we mature our
climate action planning and reporting.
Under Scenario 1, we anticipate higher transition risks due to rapid
shifts in regulatory and market conditions, but the physical risks would
be significantly reduced due to the effective global action on climate
change. Conversely, Scenario 2 predicts lower transition risks but
considerably higher physical risks due to the lack of substantial
progress towards climate goals.
We’ve further broken down these risks by timeline, classifying them
asshort term (less than one year), medium term (one to five years)
andlong term (more than five years). The table below offers a
comprehensive overview of NCC Group’s potential exposure to both
transition and physical risks under each scenario.
While our current analysis is qualitative, we are working towards
quantifying these risks and opportunities as we progress towards our
net zero targets and continually improve our data collection across
Scope 1, 2 and 3 emissions. At this point, we don’t foresee a significant
impact on our Financial Statement disclosures based on our materiality
assessment results and known near to mid-term regulatory developments.
However, we will continuously monitor both transition and physical
risks, adjusting our mitigation strategy as necessary.
Financial planning
We recognise the potential implications of climate-related risks and
opportunities on our financial planning. We anticipate shifts in our future
business model and strategy in response to evolving market conditions
due to climate change. We foresee potential changes in client preferences
towards more sustainable products and services, along with possible
disruptions in our supply chain due to extreme weather events. These
factors are thoroughly considered in our business strategy development.
Our business strategy has been designed to be resilient to future
economic and climate-related scenarios. And by running regular
scenarios we can test that resilience and ensure it’s considered in
future business strategy development, enabling us to adapt
accordingly, without disrupting or negatively impacting
currentoperations.
The scenarios are based on industry insights, which are used in the
expert input into our ongoing materiality assessment.
During FY24 we prioritised drafting our Carbon Reduction Plan working
with Positive Planet. We set interim reduction targets based on FY24
GHG emissions, with the final base being set by our FY25 GHG
emissions. Targets are aligned to science-based targets and at this
stage we have chosen not to verify these.
The publication of our Carbon Reduction Plan will enable us to begin
work on integrating climate considerations into our financial planning
process when appropriate. Our aim continues to be to incorporate
climate considerations to influence future investment decisions by the
Group, reducing our carbon footprint, and gradually divesting areas
that carry high climate-related risks.
For now though, we are actively working to improve our operational
efficiency and addressing things we can directly influence to reduce
our impact on the environment and realise cost savings.
Strategic report
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 25

Sustainability continued
TCFD continued
Risk management
TCFD recommended disclosure Consistency NCC Group disclosure Focus area of FY26
Risk management
A. Describe the organisation’s processes
for identifying and assessing
climate-related risks
Consistent
•
Climate-related risks are managed through
our Enterprise Risk Management framework
•
Monitor actions arising
from the risk register
B. Describe the organisation’s processes
for managing climate-related risks
Consistent
•
Climate-related risks are documented,
mitigating actions are considered, a risk
rating is assigned and associated actions
are documented and followed up
•
Monitor actions arising
from the risk register
C. Describe how processes for identifying,
assessing and managing climate-related
risks are integrated into the organisation’s
overall riskmanagement
Consistent
•
Climate-related risks are managed through
our Enterprise Risk Management framework
•
Monitor actions arising
from the risk register
How we manage risks
Obtain
assurance
Implement
internal
control
Adapt
ERM
Perform
scenario
analysis
Integrate
into
reporting
Use
existing
tools
Solicit
investor
feedback
Assess
financial
impacts
Collaborate
acrossthe
business
Secure
leadership
buy-in
A
u
d
i
t
C
o
m
m
it
t
e
e
Climate-related risks are managed through our NCC Group Enterprise
Risk Management (ERM) framework. This framework, which is detailed
in the Risk Management section of the Annual Report on page 30, uses
a sophisticated risk model to assess and score each risk based on
likelihood and impact. Risks are re-evaluated consistently to ensure
we’re responsive to evolving circumstances.
Our risk management approach combines “top-down strategic” and
“bottom-up operational” perspectives, fostering collaboration and
promoting efficient risk identification. With respect to climate-related
risks, we have outlined our strategies and targets for GHG emissions
reduction and biodiversity preservation.
These climate-related risks are integrated into our Principal Risks
section (pages 29 to 37). The Executive Risk Management Committee
plays an active role in the ongoing review of these risks and their
mitigations, controls and associated actions. This Committee meets
ona regular basis and follows a stringent process for identifying,
assessing, responding to and escalating serious concerns related
tothese risks.
We firmly believe that this integrated and transparent approach will
ensure effective risk management aligned with the principles of TCFD,
while driving our strategic objectives for sustainability.
Establish
Committee
oversight
R
i
s
k
C
o
m
m
it
t
e
e
NCC Group plc — Annual report and accounts for the year ended 30 September 202526

Metrics and targets
To achieve net zero, we will be aiming to reduce emissions in line with
the latest guidance from the Science Based Targets initiative (SBTi).
Targets are defined as “science based” when they align with the scale
of reductions required to limit global temperature increases to 1.5°C
compared to pre-industrial temperatures. Adopting the SBTi framework
ensures our decarbonisation efforts are aligned with the latest climate
science and global best practices. The SBTi provides a clear, credible
pathway for reducing emissions at a pace and scale consistent with
limiting global warming to1.5°C.
For the time being our targets will be aligned with SBTi guidance,
although we will not be seeking validation at this time.
We anticipate reducing our Scope 1, 2 and 3 emissions by 63% by
2035, which will be validated using FY25 as our base year. We will
alsoconsider setting an intensity-based Scope 3 target depending on
growth targets. An intensity-based target is a commitment to reduce
emissions per economic unit or physical unit.
We are committed to reach net zero by 2045. Please see our Carbon
Reduction Plan for more information www.nccgroupplc.com/sustainability
TCFD recommended disclosure Consistency NCC Group disclosure Focus areas for FY26
Metrics and targets
A. Disclose the metrics used by the
organisation to assess climate-related
risks and opportunities in line with its
strategy andrisk managementprocess
Partially
consistent
•
Reporting of Scope 1, Scope 2 and Scope
3 greenhouse gas emissions for FY25
compared to prioryears while taking into
account improvements inourmethodology
•
Prioritisation and
ownership of Carbon
Reduction Plan actions
B. Disclose Scope 1, Scope 2 and, if
appropriate, Scope 3 greenhouse gas
emissions and the related risks
Partially
consistent
•
Publication of Scope 1 and 2 GHG
emissions for FY25 vs FY24
•
Full Scope 3 emissions relevant to our
businessoperations
•
Review of our data
collection in line with
thenew action areas
identified within the
Carbon Reduction Plan
C. Describe the targets used by the
organisation to manage climate-
related risks and opportunities
andperformance against target
Partially
consistent
•
Draft Carbon Reduction Plan target to
reduce Scope 1 by 63%, Scope 2 by 63%
and Scope 3 by 63% by 2035
•
Publish the final Carbon
Reduction plan using
FY25 GHG emissions
asthe baseline
•
Validate targets with SBTi
The state of supply chain security NCC Group thought
leadership shows 68% of organisations expect supply
chain attacks to grow more severe
Global supply chains are under mounting pressure, suffering a series
of high profile breaches in 2025. As the attack surface and threat
increases, organisations are complacent and over reliant on
compliance frameworks.
NCC Group’s ‘State of supply chain security’ report investigated this
overlooked area of risk and found deeply concerning evidence of
overconfidence, a gap in responsibility and the rising threat posed by
artificial intelligence.
At NCC Group, we help clients tackle these challenges through
expert-led assessments, robust third party risk management, and
tailored strategies that embed security across the supply chain,
ensuring organisations can operate confidently in an increasingly
hostile digital landscape.
The full report is available at:
www.nccgroup.com/the-state-of-
supply-chain-security
VIEWPOINT
Strategic report
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 27

Streamlined Energy and Carbon
Reporting (SECR)
The period under review is from 1 October 2024 to 30 September 2025 and the reporting boundary includes the full Group. Emissions are
calculated in line with the GHG Protocol, as detailed in our SECR report on the Sustainability section of our website. Emissions are reported as CO
2
,
using 100-year Global Warming Potential values. For FY25, NCC Group’s report covers SECR-relevant categories only. Data sources used include
meter readings, supplier invoices, and transport mileage records.
Source
Total GHG tCO
2
e
tCO
2
e
change from
previous year
%
change from
previous year2024 2025
Scope 1
Gas 344.4 109.5 (234.9) (68%)
Company vehicles
Diesel
A
0.8 — N/A N/A
Petrol
A
11.3 — N/A N/A
Diesel/petrol 12.1 349.3
B
337. 2 2,787%
Hybrid — — — —
Fleet fuel – petrol — — — —
Total Scope 1 356.5 458.8 102.3 29%
Scope 2
Electricity
A
1,280.5 — N/A N/A
Company vehicles – electric
A
8.9 — N/A N/A
Purchased electricity 1,289.40 727.30 (5 62.1) (44%)
Heat and steam 40.9 45.9 5 12%
Total Scope 2 1,330.3 773.2 (5 57.1) (42%)
Total Scope 1 and 2 1,686.8 1,232.0 (454.8) (27%)
Scope 3
Business travel
A
1,257.5 — N/A N/A
Transmission and distribution losses
A
82.3 — N/A N/A
Heat and steam transmission and distribution losses
A
2.8 — N/A N/A
Fleet transmission and distribution losses
A
0.8 — N/A N/A
Transpor t 1,343.40 88.7 (1,254.7) (93%)
Commuting
A
225.4 — N/A N/A
Data centre electricity
A
71.7 — N/A N/A
Purchased goods and services
A
5,713.7 — N/A N/A
Total Scope 3 7,354.2 88.7 (7,265.5) (99%)
Total Scope 1, 2 and 3 9,041.0 1,320.7 (7,720.3) (85%)
Underlying energy use
The table below shows the proportion of energy use that occurs in the UK and non-UK countries alongside the total carbon emissions. In FY25,
27% of the Group’s energy consumption and 21% of carbon emissions arose from the UK.
FY25 energy use FY25 carbon emissions
Area kWh
% of global
energy use
Total emissions
tCO
2
e % of global emissions
UK 1,340,628.6 27% 279.1 21%
Non-UK 3,587,490.3 73% 1,041.6 79%
Global purchased goods and services — — — —
Total
A
4,928,118.9 100% 1,320.7 100%
Intensity metric
Total per £m turnover – location based
Amount
kWh
Turnover
£m
Total emissions
tCO
2
e
Intensity per turnover
tCO
2
e
1 October 2023–30 September 2024 6,326,920.9 329.2 9,041.0 27.5
1 October 2024–30 September 2025
A
4,928,118.9 305.4 1,320.7 4.3
Comparison (2 2.1%) (7. 2%) (85.4%) (84.3)
A In accordance with SECR requirements and on the professional advice of NCC Group’s newly appointed sustainability consultancy, Positive Planet, the FY25 data disclosure includes
only the mandatory information prescribed by legislation. This disclosure provides a concise summary of NCC Group’s energy consumption, carbon emissions and related performance
metrics. A more comprehensive view, including supplementary information and analysis, will be provided in the 2025 Carbon Reduction Plan and Sustainability Report. This approach
ensures transparency and accessibility while maintaining compliance with regulatory obligations.
B Reflecting NCC Group’s ongoing commitment to strengthen transparency and completeness in emissions reporting, fleet emissions data for the Netherlands has been sourced and
included in the FY25 SECR disclosure for the first time.
Sustainability continued
NCC Group plc — Annual report and accounts for the year ended 30 September 202528

NCC Group’s approach to risk management
NCC Group adopts both a “top-down” and “bottom-up” approach to
risk, to manage risk exposure across the Group to enable the effective
pursuit of strategic objectives. The approach is summarised in the
diagram on page 30.
The approach is one of collaboration, which supports our comprehensive
approach to risk identification, from the “top down” and “bottom up”.
The Group believes that this is the most efficient and effective way to
identify its business risks.
Top down
The Board, Audit Committee and Cyber Security Committee
reviewrisks on an ongoing basis and are supported by the Executive
Committee and subject matter specialists (including Escode, Cyber
Security, information security, data protection and health and safety).
The Board considers the Group’s strategic objectives and any barriers
to their achievement.
Bottom up
The Board and senior leadership team engage with colleagues at every
level of the Group in recognition of the importance of their expertise,
contribution and views.
Risk management model
The Board has overall responsibility for ensuring that NCC Group
adopts an effective risk management model, which is aligned to our
objectives and promotes good risk management practice. We have
therefore adopted the model described in this section and summarised
in the diagram above.
Risk management
Risk is an inherent part of doing business, and risk management is a fundamental aspect
ofgood corporate governance. A successful risk management process balances risk and
reward and is underpinned by sound judgement regarding the impact and likelihood of risks.
The Board holds overall responsibility for ensuring that NCC Group has an effective risk
management framework that aligns with its business objectives.
Risk
management
model
Assess adequacy
and effectiveness
of existing controls
Identify risks
Identify inherent
risks and likelihood
of impact
Monitor delivery
of action plans/
risk universe
Assign
Director-level
sponsorship
Evaluate
mitigatedrisks
and likelihood
ofimpact
Develop
action plans (treat,
transfer, tolerate,
terminate)
I
d
e
n
t
i
f
y
M
o
n
i
t
o
r
A
s
s
e
s
s
A
d
d
r
e
s
s
C
o
r
p
o
r
a
t
e
g
o
v
e
r
n
a
n
c
e
C
o
r
p
o
r
a
t
e
g
o
v
e
r
n
a
n
c
e
The Board has established an
Enterprise Risk Management
policy,which has established
protocols, including:
• Roles and responsibilities for the
risk management framework
• A risk scoring framework
• A definition of risk appetite
The integrated approach to risk management diagram
on page 30 summarises the Group’s overall approach
torisk management
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 29
Strategic report

Managing risk from the top down
Managing risk from the bottom up
Top down
Strategic risk management
Bottom up
Operational risk management
•
Establishing guidance on the Group’s
approach to risk management and establishing
the parameters for risk appetite and associated
decision making
•
Identification, review and management
ofidentified Group strategic risks and
associatedactions
•
Ongoing consideration of:
•
IT and cyber-centric risk
•
Environmental risk
Board
Audit Committee
Cyber Security
Committee
•
Periodically assessing the effectiveness of the
embedded Group risk management process
•
Challenging the content of the strategic risk
register to support a comprehensive and
balanced assessment of risk
•
Reporting on the principal risks and
uncertainties of the Group
•
Implementing and embedding the Group’s
Enterprise Risk Management policy
andapproach
•
Directing the delivery of the Group’s
identifiedactions associated with managing/
mitigating risk
•
Identification of key risk indicators, monitoring
and taking timely action where appropriate
Executive
Committee
Leadership team
•
Responsible for reviewing the operational risks
across the business units and Group
•
Challenging the appropriateness and
adequacy of proposed action plans to
mitigaterisk
•
Giving due consideration to the aggregation
ofrisk across the Group
•
Provisioning suitable cross-functional/
business unit resource to effectively manage
risk where appropriate
•
Instrumental in developing the risk
management framework adopted by the Board
•
Conduit between the Board and the business
units – providing training and support where
appropriate
•
Developing and executing a risk-based
Internal Audit Plan to assess the management
of risks
Global
Governance
function
•
Ongoing monitoring and reporting to the
Board in relation to the progress being made
by the business units in implementing agreed
action plans to mitigate strategic risk
•
Close cross-functional relationships with the
Global Technical Services (GTS) security
operations team to facilitate the identification,
management, monitoring and reporting of data
security risks
•
Execution of the delivery of the
Group’sidentified actions associated
withmanaging risk
•
Timely reporting on the implementation
andprogress of agreed action plans
•
Provision of key risk indicator updates
Business units
•
Identification and reporting of strategic risk
tothe Board
•
Provision of reports and data relating to
significant emerging risks to the Group
(internal and external)
•
Implementation of risk management approach
which promotes the ongoing identification,
evaluation, prioritisation, mitigation and
monitoring of operational risk
Effective pursuit of strategic objectives
Risk management continued
Risk management model continued
The Board, Audit Committee, Cyber Security Committee and Executive
Committee review risks on an ongoing basis throughout the period.
Theappropriateness and relevance of the risks are monitored by the
Global Governance function to ensure they continue to be updated, meet
the needs of the Group and remain in line with good risk management
practice. In addition, there is a robust process in place for monitoring
and reporting the implementation of agreed actions.
We are satisfied that the Enterprise Risk Management policy, framework
and model currently in place are sufficient to manage risk across the Group.
The key areas of identifying, assessing, addressing and monitoring risks
are explained in more detail overleaf.
Identify
Risks exist within all areas of our business, and it is important for
ustoidentify and understand the degree to which their impact and
likelihood of occurrence will affect the delivery of our key objectives.
This isachieved through day-to-day working practices and incorporates
risks in both the internal and external environment.
All identified risks are initially assessed for their “inherent” risk (risk with
no controls in place), using a scoring mechanism that accounts for the
NCC Group plc — Annual report and accounts for the year ended 30 September 202530

likelihood of an event occurring and the impact that it may have on the
Group. The scoring mechanism adopted takes account of high impact,
low likelihood events and these risks are managed in a timely manner.
In addition to ongoing risk identification, an annual exercise is
undertaken to review the Group’s strategic risk universe by the Board.
This exercise is reliant on the “top-down”, “bottom-up” approach
discussed earlier.
Assess
Post-identification of the Group’s inherent risk exposure, a
comprehensive assessment of the effectiveness of current mitigating
controls is undertaken. This exercise takes account of the design of the
current control environment and the application of these controls prior
to assessing the Group’s current exposure to risk – the mitigated risk
score. The Board uses a number of sources of information to support
the scoring of risk and these include, but are not limited to:
•
Management updates
•
Action tracking and reporting
•
Control environment policies and procedures
•
Independent audit activity
•
Project monitoring reports
Address
Having identified and assessed the risks faced by the Group, the risks
are scored according to likelihood of occurring and impact to the
business should they occur.
An assessment of whether additional actions are required to reduce
ourrisk exposure is undertaken, with actions falling into one of
fourcategories:
•
Treat – develop an action plan (applying responsibility, deadlines
and prioritisation) that may include the implementation of additional
controls, or increase the requirement for additional assurance over
the adequacy and effectiveness of the existing controls
•
Transfer – use a third party specialist to undertake the activity,
thusmitigating the risk
•
Tolerate – determine the risk is within appetite
•
Terminate – exit the activity
The output from the evaluation of strategic risks has resulted in
milestone plans owned by senior business leaders or has been used
inthe development of the Group’s transformation programme.
Monitor
Ongoing monitoring of risks and related actions is key to the
implementation of our risk management model and, therefore, NCC
Group is committed to making enterprise-wide risk management part
ofbusiness as usual. Examples of ongoing monitoring of business risks
include, but are not limited to:
•
Annual review of the external audit strategy and plan by the Audit
Committee and Chief Financial Officer to ensure inclusion of key
financial risks
•
Review of the annual Internal Audit Plan to validate that it
incorporates key areas of business risk
•
A review of internal audit reports issued during the period, including
a summary of progress against previously raised management
actions at each Audit Committee meeting
•
Annual review of the strategic risk register by the Enterprise Risk
Management Steering Group and Board to ensure that it includes
risks arising in the period
Internal control
While risk management identifies threats to the Group achieving its
strategic objectives, internal controls are designed to provide assurance
that these objectives are being achieved, such as the effectiveness and
efficiency of operations and delivery, accurate and reliable financial
reporting, and compliance with applicable laws andregulation.
NCC Group has established a robust internal control framework,
whichis made up of a number of components:
Control environment
The control environment has primarily been established taking
accountof the Group’s values (working together, being brilliantly
creative, embracing difference and taking responsibility), and its Code of
Ethics, which sets the foundations for the expected behaviours, values
and competencies for all colleagues across the Group. The Board,
Executive Committee and extended leadership team lead by example
and strive to maintain effective control environments, while also
maintaining integrity and transparency.
Risk assessments
Risk assessments are conducted at both a strategic and operational
level of the Group and support the Group in understanding the risks
that it faces and the controls in place to mitigate them. Importantly, they
provide a mechanism to identify operational improvements and are vital
in our transformational programmes.
Policies and procedures
Established policies communicate expected behaviours and are
supported by procedures and guidelines that define required processes
and controls. This, in turn, helps the business to adopt efficient and
effective control environments.
Information and communications
Access to accurate and timely data is essential for supporting our
colleagues in making informed decisions and effectively managing
andcontrolling their areas of responsibility.
Activity monitoring
The minimum financial controls framework was established in FY20.
Further enhancement of the framework is being designed and
implemented to align with the UK Corporate Governance Reform
andupcoming Directors’ attestation of internal controls.
In preparation for new legislative requirements relating to failure to
prevent fraud, key anti-fraud controls have been identified and these
are supported by red flag reporting and ongoing trend analysis to
enhance the existing control environment to ensure compliance with
the Economic Crime and Transparency Act (2023).
Financial accounting and reporting follow generally accepted
accounting practices.
Group review and approval procedures exist in relation to major areas
of risk and require Executive Committee/Board approval, including
mergers and acquisitions, major contracts, capital expenditure,
litigation, treasury management and taxation policies. The approval
procedures are captured within a global delegation of authority (DoA)
matrix which is disseminated across the Group.
Compliance with all legislation, current and new, is closely monitored.
Risk and control reporting structure
NCC Group has embedded the “three lines of defence” to provide
arobust internal controls structure that will support the Board, Audit
Committee, Cyber Security Committee, Executive Committee and
extended leadership team with accurate and reliable information in
relation to the systems of internal control.
Three lines of defence:
•
First line – Group policies and procedures
•
Second line – information security, data protection, health and
safety, and legal
•
Third line – risk and assurance, incorporating internal audit,
standards and support, assessing compliance with standards and
external audit, both financial and operational, providing independent
challenge and assessment
Strategic report
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 31

Risk management continued
A. Strategy
1. Inability to execute the Group’s strategy including the diversification of market sector,
region, product/service or client
VR
Link to strategy: Our clients Our capabilities Global delivery Differentiated brands
Previous risk names
Inability to execute the Group
strategy and over-reliance on
market sector, product/service
or client
Risk owner
Mike Maddison, CEO
Risk impact
Ineffective execution of a strategy could have a
material negative impact on the Group’s financial
performance andvalue.
It would potentially weaken the Group compared
to its competitors and risk the Group’s established
position in themarketplace.
Risk impact and movement
Key controls and mitigating factors
Strategic transformation plans are in place.
Disposal of Crypto and DetACT.
The Manila office is fully operational.
2. Inability of the Group to absorb the people, process and technological transformation change
Link to strategy: Our clients Our capabilities Global delivery Differentiated brands
Previous risk name
Poor adoption of change
managementmechanisms
Risk owner
Mike Maddison, CEO
Risk impact
Failure to successfully deliver strategic outcomes
caused by projects failing because they deliver
late, don’t deliver, fail to deliver the right things or
fail to achieve the expected benefits.
Risk impact and movement
Key controls and mitigating factors
Transformation delivery centre is in place.
Business cases linked to principal risks underpinned
by robust financial and legal due diligence which
clearly articulates project objectives including
delivery metrics.
Programme sponsors are accountable for delivery
ofoutcomes.
Project SteerCo’s in place.
Risk movement:
Increased Decreased Unchanged
Viability risk:
VR
New risk:
NR
Risk impact:
High Medium Low
Extraordinary risk during the period
Principal risks and uncertainties
During the period, the Board has completed a robust assessment of the
Company’s emerging and principal risks. This has included the Board
reassessing and rescoring the principal risks, with changes to the risks
noted below. The overall number of principal risks has reduced from 24
in FY24 to 14 in FY25 primarily due to risks being combined where the
operating risks overlapped or where they were considered sub-risks.
The Group continues to operate in a particularly dynamic and evolving
marketplace. The current risk register has been developed to reflect
these factors and includes risks that could threaten the Group’s
business model, future performance, solvency or liquidity. Detailed
descriptions of the current principal risks and uncertainties faced by the
Group, along with their potential impact and the mitigating processes
and controls, are set out below.
The strategic risks are based on the four pillars of our strategy: our
clients, our capabilities, global delivery and differentiated brands.
NCC Group plc — Annual report and accounts for the year ended 30 September 202532

A. Strategy continued
3. Commercial models (contractual and pricing) do not reflect the flexibility
required by clients or drive the optimal commercial outcome for NCC Group
VR
Link to strategy: Our clients Our capabilities Global delivery
Previous risk name
N/A
Risk owner
Peter Vorley, CCO
Risk impact
Inability to transact, operate and deliver profitable
services resulting in loss of revenue and negative
impact on share price.
Risk impact and movement
NR
Key controls and mitigating factors
Finance review of margins.
Legal review of contracts.
Approval is required for low margin jobs.
Regular review of services is offered.
Client engagement and feedback to enhance
theportfolio of product and services.
B. Cyber and information security
4. Cyber attack
VR
Link to strategy: Our capabilities Global delivery Differentiated brands
Previous risk name
N/A
Risk owner
Guy Ellis, CFO
Risk impact
Data breach leading to fines from regulators
andreputationaldamage.
Lack of availability in systems.
Inability to operate services resulting in loss of
customer trust, resulting in loss of revenue and
negative impact on share price.
Impact on national security due to our work with
governmentclients.
Risk impact and movement
Increased due to increase in high profile cyber
attacks and change to geopolitical landscape.
Key controls and mitigating factors
The Board operates a Cyber Security Committee
chaired by a NED.
All colleagues globally are required to undertake annual
and ongoing security training to alert them to potential
methods of security breach andto their responsibilities
in safeguarding information and reporting
potentialissues.
Security testing is regularly carried out on the Group’s
infrastructure andthere are extensive response plans,
which are tested.
Comprehensive plans are in place and being
deliveredassociated with discharging our data
protection obligations.
Deployed an Information Security Management System
(ISO 27001). Allkey locations are certified.
Risk movement:
Increased Decreased Unchanged
Viability risk:
VR
New risk:
NR
Risk impact:
High Medium Low
Strategic report
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 33

Risk management continued
B. Cyber and information security continued
5. Significant business systems failure VR
Link to strategy: Our capabilities Global delivery Differentiated brands
Previous risk name
N/A
Risk owner
Guy Ellis, CFO
Risk impact
Inability to transact, operate and deliver services
resulting in loss of customer trust, resulting in loss
of revenue and negative impact on share price.
Risk impact and movement
Increased due to a lot of ongoing transformational
change and the general increase in cyber attacks.
Key controls and mitigating factors
Deployed an Information Security Management System
(ISO 27001). Allkey locations are certified.
IT strategy of continued cloud migration which has
greater resilience andavailability.
Business continuity plans, including crisis
management, are in place and tested regularly.
A change management process is in place within IT which
assists areduction in incidents caused by human error.
Backups are in place and single points of failure are
identified and mitigated inthe event of prolonged loss
of systems.
Regular vulnerability assessments (perimeter scanning)
and penetration testing are undertaken.
Global systems are in place.
6. Loss of client/colleague data
Link to strategy: Our capabilities Differentiated brands
Previous risk name
Merged with intellectual
property theft or exposure
Risk owner
Guy Ellis, CFO
Risk impact
Data breach leading to fines from regulators and
reputationaldamage.
Reputational damage from losing client data and
industrial espionage, resulting in loss of revenue
and loss of competitive advantage from threat of
malicious actors.
Risk impact and movement
Key controls and mitigating factors
Deployed an Information Security Management System
(ISO 27001). Allkey locations are certified.
Regular compliance training, including data protection,
is provided to allcolleagues at least annually.
Information classification and handling and data privacy
policies are inplace.
7. Insufficient quality, integrity and availability of management information
VR
Link to strategy: Our clients Our capabilities Global delivery
Previous risk name
N/A
Risk owner
Guy Ellis, CFO
Risk impact
Suboptimal business decision making and
performance as key financial performance data
isnot available or trusted.
Risk impact and movement
Key controls and mitigating factors
We are ISO 9001 accredited across key locations.
Standardised business process control standards
arein place and subject to regular review by the global
standards and support team.
Increased focus on implementing global systems
tosupport globalstrategy.
Risk movement:
Increased Decreased Unchanged
Viability risk:
VR
New risk:
NR
Risk impact:
High Medium Low
Principal risks and uncertainties continued
NCC Group plc — Annual report and accounts for the year ended 30 September 202534

C. Innovation and product development
8. Technology changes render services obsolete/technology disruption impacts pace of change
Link to strategy: Our clients Our capabilities Global delivery Differentiated brands
Previous risk name
Merged with lack of innovation,
ineffectual product/service
management and failure to
capture on partnership
ecosystem
Moved from strategy theme
toinnovation theme
Risk owner
Mike Maddison, CEO
Risk impact
Failure to stay updated with technological changes
can erode competitive advantage, leading to a
decline in market share andrevenue.
Failure to deliver the Group strategy.
Increased cost base eroding margins.
Risk impact and movement
Key controls and mitigating factors
Market intelligence and competitive intelligence reporting.
Strategic partnerships and technology partners to ensure
alignment with emerging trends and technology changes.
Research and development budgets and culture which
proactively embraces new trends and technologies.
Cross-functional collaboration via working groups
topromoteinnovation.
Client engagement and feedback to enhance the
portfolio of products and services.
D. People
9. Insufficient strategic workforce planning, including technological development and training
of colleagues
VR
Link to strategy: Our capabilities
Previous risk name
Inability to retain/recruit
colleagues to meet the
resource needs of the
business and unable to meet
the resource needs of the
business and client
Risk owner
Michelle Van de Velde, CPO
Risk impact
Inability to deliver to clients resulting in loss
ofrevenue and reputational damage.
Loss of colleague morale and risk of “burnout”.
Loss of key colleagues or significant colleague
turnover could result in a lack of necessary expertise
or continuity to execute the Group’s strategy.
Inability to attract and retain sufficient high
calibrecolleagues could become a barrier to the
continued success and growth ofNCC Group.
Risk impact and movement
Increased due to a lot of ongoing
transformationalchange.
Key controls and mitigating factors
Workforce resourcing is managed by the Chief
PeopleOfficer.
A full review of workforce requirements is undertaken
as part of the strategicreview.
Job level framework is implemented.
Colleagues are offered an industry aligned salary and
benefits package including share schemes, salary
sacrifice car scheme and retail discount offerings.
The Manila office is fully operational and has reduced
the cost base to further meet the needs of our clients.
E. Market and competition
10. Global socio-political risk
Link to strategy: Our clients Our capabilities Global delivery Differentiated brands
Previous risk names
Geopolitical risk and
undertaking work with
disreputable clients
insanctioned or
undesirablejurisdictions
Risk owner
Kevin Brown, COO
Risk impact
Failure to comply with changing global regulations
may cause disruption to our business.
Reputational damage and legal implications
ifwework with disreputable clients.
Risk impact and movement
Increased due to it being difficult to control
andalot of change and uncertainty.
Key controls and mitigating factors
The strategy is focused on globalisation and thus
theresource structure is being designed to promote
global delivery.
A country risk index is in place with risk assessments
performed for business in higher risk countries.
Risk movement:
Increased Decreased Unchanged
Viability risk:
VR
New risk:
NR
Risk impact:
High Medium Low
Strategic report
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 35

Risk management continued
F. Brand and reputation
11. Adverse publicity in news and social media
Link to strategy: Differentiated brands
Previous risk name
N/A
Risk owner
Angela Brown, CMO
Risk impact
Reputational damage leading to loss of existing
and potential clients resulting in loss of revenue.
Risk impact and movement
Key controls and mitigating factors
Policies and procedures are in place which follow
goodpractice and ethics.
Annual compliance training.
Research quality review process.
G. Quality and delivery
12. Inability to effectively compete in the market
VR
Link to strategy: Our clients Our capabilities
Previous risk names
Service delivery does
notachieve established
qualitystandards, loss of
internationally recognised
quality and security standards
and lack of market strength
versus competition
Risk owner
Kevin Brown, COO
Risk impact
Clients don’t renew, have their SLA breached
orcancel mid-service leading to loss of revenue.
Negligence in delivery leading to legal action
orloss of revenue and reputational damage.
Failure to retain internationally recognised quality
and security standards resulting in a loss of clients
and revenue and the ability tooperate.
Risk impact and movement
Key controls and mitigating factors
Global standards and support team performs internal
audits andmanages the ISO accreditations.
External assessors conduct audits at least
annuallyconfirming the retention of our quality
andsecurity standards.
ISO standards extended to more locations in FY25.
Policies and procedures are in place and audited
against the design andapplication.
Quality assurance processes are in place.
Standard methodologies and procedures are followed.
Customer feedback and complaints process.
Ongoing internal training programmes.
Risk movement:
Increased Decreased Unchanged
Viability risk:
VR
New risk:
NR
Risk impact:
High Medium Low
Principal risks and uncertainties continued
NCC Group plc — Annual report and accounts for the year ended 30 September 202536

H. Legal, regulatory compliance and governance
13. Criminal and civil corporate legal action resulting in fines and incarceration
VR
Link to strategy: Our clients Global delivery Differentiated brands
Previous risk name
N/A
Risk owner
Guy Ellis, CFO
Risk impact
Reputational damage from legal action being
taken and financialimpact of the fines and the
impact it may have on key customeraccounts.
Risk impact and movement
Key controls and mitigating factors
The legal team reviews customer contracts.
Annual compliance training is undertaken including
ethics, economic crime, health and safety, information
security and data protection.
14. Inability to identify and adopt emerging regulations in a timely manner
Link to strategy: Our clients Global delivery Differentiated brands
Previous risk name
N/A
Risk owner
Guy Ellis, CFO
Risk impact
Non-compliance with regulations resulting in fines
from regulators and reputational damage leading
to loss of key customer accounts and shareholder
investment.
Risk impact and movement
Key controls and mitigating factors
TCFD reporting in third period and working on CSRD
for our Fox-ITbusiness.
Horizon scanning for new regulations.
Risk movement:
Increased Decreased Unchanged
Viability risk:
VR
New risk:
NR
Risk impact:
High Medium Low
We have removed the lack of visibility in the workplace risk, within the brand and reputation risk theme, as the Board deemed this was no longer
astrategic risk.
In addition to identifying the Group principal risks, we continuously review and monitor emerging risks through horizon scanning; publications;
assessing regulatory changes and how they may impact the Group; and ensuring adequate oversight over significant projects.
Examples of identification include horizon scanning for emerging risks such as increasing energy costs, takeover risks, legislative and market
changesand geopolitical risks.
Strategic report
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 37

Viability statement
In line with Provision 31 of the 2018 UK Corporate Governance Code,
this Viability Statement outlines the Directors’ assessment of the Group’s
ability to continue in operation and meet its liabilities as they fall due over
the designated assessment period (factoring in the Group’s continuing
operations), drawing attention to any qualifications or assumptions, as
necessary. This evaluation considers our current financial position,
outlook and principal risks and uncertainties, as well as the critical
judgements and estimates underpinning the Financial Statements. The
Directors’ assessment is grounded in the Group’s business model and
strategic plan, which are reviewed and approved annually by the Board
with a focus on a sustainable growth strategy derived from two distinct
businesses, increasing shareholder value, andenhancing our service
offering. For further details, please see theStrategic Report on pages 8
and 9.
The Group’s strategic priorities, detailed on pages 12 and 13 of the
Strategic Report, provide a foundation for this outlook. Additionally,
theeffective management of principal risks and uncertainties, as
outlined on pages 29 to 37, underscores those factors that could
theoretically pose a threat to the Group’s operational or financial
resilience, particularly those carrying the viability risk (VR) designation.
The assessment period
The Directors have assessed the viability of the Group over a three year
period ending in September 2028. This timeframe aligns with the Group’s
strategic planning horizon and reflects a practical planning period,
considering the pace of industry change and evolving customer demands.
Assessment of viability
The viability of the Group has been assessed based on its current
financial position, available banking facilities, and the Board-approved
FY26 budget and three year strategic plan (factoring in the Group’s
continuing operations). The Group’s base case budget for FY26
incorporates recent growth trends across geographical regions and
operating segments, as well as relevant growth opportunities driven
byexisting offerings. Management has also performed base case
modelling inclusive of the potential disposal of its Escode business
(incorporating any associated impact on the Group’s banking facilities
and expected netcash position). This assessment also accounts for
current macro-economic conditions where applicable.
Additionally, the Group remains in the early stages of reviewing
anumber of strategic options for its Cyber business, however no decision
has been made on which option will be pursued as of 11 December 2025.
No material issues impacting the Group’s viability assessment as of
11December 2025.
In April 2025, the Group refinanced its borrowing arrangements by
entering into a new four year £120m multi-currency revolving credit
facility, replacing the previous facility due to expire in December 2026.
The new facility, which expires in April 2029, provides additional
liquidity headroom and has been factored into the Group’s
viabilityassessment.
Additionally, the Directors have modelled the impact of severe, yet
plausible, scenarios associated with the Group’s principal viability risks,
which could have the most significant potential impact on viability over
the three year period, as outlined in the table below. These sensitivities
have been assessed against the Group’s projected cash flow position,
available banking facilities, and compliance with financial covenants
throughout the viability period. Under these scenarios, the Group
hasassessed and concluded that sufficient headroom exists to support
its operations and meet its liabilities as they fall due. Further details
onthe Group’s financing arrangements can be found in Note 1
oftheFinancial Statements.
The applied sensitivities demonstrate sufficient levels of headroom,
indicating that no mitigating actions are necessary under the severe
butplausible scenarios modelled by management. Nevertheless,
should additional headroom be needed, available measures within
theDirectors’ control include reducing planned capital expenditure,
adjusting headcount, freezing pay and recruitment, and suspending
dividend payments to shareholders.
As outlined on page 32, the Board has undertaken a robust assessment
of the Company’s principal risks, resulting in an overall reduction in the
number of identified risks. This reassessment included a review of the
Group’s principal risks that are also considered viability risks, and any
changes identified during the year are clearly highlighted on pages 32
to37.
Conclusions
Based on the severe but plausible scenarios modelled (inclusive of the
planned disposal of Escode), the Directors have a reasonable expectation
that the Company will be able to continue in operation and meet its
liabilities as they fall due over the three year period of assessment.
TheDirectors have considered this assumption as part of their viability
assessment and believe it to be reasonable based on the Group’s
financial position.
NCC Group plc — Annual report and accounts for the year ended 30 September 202538

Viability risk Risk as applied to viabilityassessment Specifics of scenario modelled Potential impact
Inability to execute
theGroup’s strategy
including the
diversification of
market sector, region,
product/service
orclient
The ineffective execution of a strategy could have a
materialnegative impact on the Group’s financial
performance and value.
It would potentially weaken the Group compared to its
competitors and risk the Group’s established position
inthemarketplace.
In order to consider the
impactof the risks identified,
management has modelled
thefollowing scenario:
A reduction in future trading
performance within Cyber
Security, specifically in the
Group’s Technical Assurance
Services (TAS).
This scenario models
anannualised reduction of
£10.6m in revenue and £3.8m
in profitability over the three
year viability period.
The impact of this
sensitivity has been
assessed against the
Group’s projected
cashflow, available
banking facilities,
andcompliance with
financial covenants
overthe three year
viability period.
The scenario applied
indicates sufficient
headroom throughout
this period, confirming
that no mitigating
actions are necessary.
Insufficient strategic
workforce planning,
including technological
development and
training of colleagues
Inability to deliver to clients could result in revenue loss and
reputational damage, hindering the Group’s ability to execute
its strategy.
Loss of key colleagues or significant colleague turnover could
result in a lack of necessary expertise or continuity to execute
the Group’s strategy.
Inability to attract and retain sufficient high calibre colleagues
could become a barrier to the continued success and growth
of NCC Group.
Insufficient quality,
integrity and
availability of
management
information
Suboptimal business decision making, and performance
askey financial performance data is not available or trusted.
These suboptimal decisions could prevent the Group from
achieving its strategic goals.
Commercial models
(contractual and
pricing) do not reflect
the flexibility required
by clients or drive the
optimal commercial
outcome for
NCCGroup
Inability to transact, operate and deliver profitable
servicesresulting in loss of revenue and negative impact
onshareprice.
In order to consider the
impactof the risks identified,
management has modelled
thefollowing scenario:
A loss in key customers
resulting in an annualised
reduction of £8.9m in revenue
and £2.6m in profitability over
the three year viability period.
The impact of this
sensitivity has been
assessed against the
Group’s projected
cashflow, available
banking facilities,
andcompliance with
financial covenants
overthe three year
viability period.
The scenario applied
indicates sufficient
headroom throughout
this period, confirming
that no mitigating
actions are necessary.
Cyber attack Data breach leading to fines from regulators and
reputationaldamage.
Lack of availability in systems.
Inability to operate services resulting in loss of customer
trust, resulting in loss of revenue and negative impact
onshare price.
Impact on national security due to our work with
governmentclients.
Each of the above could result in a loss of customers
andrevenue.
Significant business
systems failure
Inability to transact, operate and deliver services resulting
inloss of customer trust, resulting in loss of revenue and
negative impact on share price.
Inability to effectively
compete in the market
Client non-renewal, SLA breaches, or mid-service
cancellations could result in revenue loss.
Delivery negligence could lead to legal action, reputational
damage, and loss of customers and revenue.
Failure to maintain internationally recognised quality and
security standards could result in client loss, revenue decline,
and operational restrictions.
Criminal and civil
corporate legal action
resulting in fines
andincarceration
Reputational damage from legal action being taken and
financial impact of the fines and the impact it may have on
key customer accounts.
Strategic report
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 39

Financial review
•
Globalised technical resource footprint – from a global delivery
perspective the Group continues to invest in its Manila office and
delivery resourcing is planned and tracked on a single system.
Efficiency for growth
•
Simplify operating model to generate efficiencies – finance and IT
processes globalised and centralised around hubs in Manchester
and Manila. We continue to monitor our transformation journey as we
ensure the operating model is market aligned, and delivery is
focused to support the underlying Cyber Security business strategy.
•
Drive towards consistent profit conversion in every market –
improvement in North American GM% by 6.3% pts to 28.4% year
onyear, despite a revenue decline of 12.9% at constant currency, in
part as a result of increased delivery from Manila and cost control.
•
Eliminate stranded costs resulting from non-core disposals – the Fox-IT
Crypto disposal completed on 28 March 2025. In October 2025, the
simplified Fox-IT Cyber Security operations further separated from
the Fox-IT Crypto business by moving into its own offices, following
the opening of the new Rijswijk office (the “Den”). We continue to
review Group wide for any stranded costs from all non-core
disposals (including the potential disposal of Escode).
Capital deployment supporting growth
•
Strong cash conversion – FY25 cash conversion of 91.3%, reflecting
an improvement from H1 2025 cash conversion of 62.3%, with
H22025 cash conversion being 119.4%.
•
Ensure appropriate liquidity and debt facilities – net cash effectively
managed at 30 September 2025 to £13.1m, with non-core disposal of
Fox-IT Crypto generating £65.6m gross cash consideration. Agreed a
new four year £120m multi-currency revolving credit facility in April 2025.
•
Maintaining dividend – final FY25 dividend maintained at 3.15p, as
the Board prioritises investment in the strategy.
•
Expected commencement of initial share buy-back programme in
December 2025/January 2026.
•
Accretive acquisition opportunities – continue to scan the market for
accretive cyber opportunities with a clear strategic and operational fit.
Overview of financial performance
Throughout this Financial Review, references are made to a number of
reporting periods. Any references to the year ended 30 September 2025
or the 16 month period ended 30 September 2024 relate to audited
figures (unless stated otherwise). References to the year ended
30September 2024, the six months (“H1”) to 31 March 2025 (and
comparative six months to 31 March 2024), and the six months (“H2”) to
30 September 2025 (and comparative six months to 30September 2024)
relate to unaudited figures.
Highlights – financial framework
As we assess our performance against the FY25 financial framework
published in December 2024, it is encouraging to see that we have
continued to deliver throughout the year against most of the framework.
The key points to note are as follows:
Sustainable revenue growth
•
Delivering underlying growth in Cyber Security (excluding non-core
disposals) – 2025 Cyber Security revenue declined compared to the
year ended 30 September 2024 on both constant currency
1
(-4.0%)
and at actual rates (-4.9%). However, H2 2025 demonstrated positive
momentum versus H1 2025, delivering growth of +3.0%.
•
Increase Managed Services revenue as a proportion of total Cyber
Security (excluding Crypto and DetACT) – 2025 MS revenue
proportion increased by +2.2%pts at constant currency (actual rates:
+2.5%pts), compared to the year ended 30 September 2024.
•
Maintaining momentum in Escode – achieved 12 consecutive quarters
of revenue growth (on a constant currency basis) and increased year
on year by +2.2% on a constant currency basis (+0.8% actual rates).
Improved gross margin
•
Improved utilisation – the Group’s average utilisation rate for the year
across TAS and C&I (all locations) amounts to 70.4%, with the Manila
team average increasing as more activity is onboarded into its
delivery model.
•
Smart pricing and margin investment decision making – Kantata
resource reporting tool now implemented globally and regular
reporting of profitability by engagement and client has been
implemented with further benefits to be realised.
Guy Ellis
Chief Financial Officer
Delivering on
ourfinancial
framework
NCC Group plc — Annual report and accounts for the year ended 30 September 202540

This approach continues to support comparability of the Group’s new year end performance (following the year end change in FY24) and,
importantly, provides visibility on the current trajectory.
Year ended 30 September 2025 compared to the 16 month period ended 30 September 2024
The following table summarises the Group’s performance for the year ended 30 September 2025, following the results for the 16 month period
ended 30 September 2024, which reflected the Group’s change in financial year end to 30 September in the prior period. The results for the year
(and the prior period) present the Group’s Escode business as discontinued operations. Therefore, the table below shows the Group’s continuing
operations results, with Escode added back to ensure full comparability of the Group’s performance.
During the year ended 30 September 2025, the Group explored a number of options for its Escode business, including a potential sale, eventually
initiating an active programme to locate a potential buyer. As at 30 September 2025, the sale was considered highly probable, so the related assets
and liabilities were reclassified as held for sale. Since Escode is a separate major line of business and classified as held for sale, it is presented also
presented as a discontinued operation.
Year ended 30 September 2025 16 month period ended 30 September 2024
Cyber
Security
£m
Central
and
head office
£m
Continuing
operations
3
:
Sub-total
£m
Discontinued
operations
3
:
Escode
£m
Group
£m
Cyber
Security
£m
Central
and
head office
£m
Continuing
operations
3
:
Sub-total
£m
Discontinued
operations
3
:
Escode
£m
Group
£m
Revenue 238.9 — 238.9 66.5 305.4 342.1 — 342.1 87. 4 429.5
Cost of sales (150.5) — (150.5) (19.0) (169.5) (2 24.1) — (224.1) (26.7) (250.8)
Gross profit 88.4 — 88.4 47.5 135.9 118.0 — 118 .0 60.7 178.7
Gross margin % 37.0% — 37.0% 71.4% 44.5% 34.5% — 34.5% 69.5% 41.6%
Administrative expenses
3
(68.4) (4.4) (72.8) (16.4) (89.2) (97.3) (3.4) (100.7) (24.1) (124.8)
Share-based payments (0.2) (2.6) (2.8) (0.2) (3.0) (0.1) (2.0) (2.1) (0.2) (2.3)
Adjusted EBITDA
1,2
19.8 (7.0) 12.8 30.9 43.7 20.6 (5.4) 15.2 36.4 51.6
Depreciation and
amortisation (7.8) (3.1) (10.9) (1.0) (11.9) (10.9) (5.3) (16.2) (0.6) (16.8)
Amortisation of acquired
intangibles (1.0) (2.1) (3.1) (5.0) (8.1) (1.4) (4.0) (5.4) (7.1) (12.5)
Adjusted operating
profit/(loss)
1,2
11.0 (12.2) (1.2) 24.9 23.7 8.3 (14.7) (6.4) 28.7 22.3
Individually Significant Items (3.9) 5.8 1.9 — 1.9 (41.4) — (41.4) (0.1) (41.5)
Operating profit/(loss) 7.1 (6.4) 0.7 24.9 25.6 (33 .1) (14.7) (47.8) 28.6 (19.2)
Operating margin % 3.0% N/A 0.3% 37.4% 8.4% (9.7%) N/A (14.0%) 32.7% (4.5%)
Finance costs     (5.0)   (8.3)
Profit/(loss) before
taxation     20.6  (27.5 )
Taxation     (3.5)  (5.0)
Profit/(loss) after taxation     17.1  (32.5)
EPS      
Basic EPS 5.6p (10.4p)
Adjusted basic EPS
1,2
4.7p 3.4p
1 Revenue at constant currency, Adjusted EBITDA, Adjusted operating profit, Adjusted basic EPS, net cash/(debt) excluding lease liabilities and cash conversion are Alternative
Performance Measures (APMs) and not IFRS measures. See unaudited Appendix 1 and this Financial Review for an explanation of APMs and adjusting items, including a reconciliation
to statutory information.
2 The Group reports only one adjusted item: Individually Significant Items (which includes the £11.4m profit on disposal of Fox Crypto and £9.5m of fundamental re-organisation, strategic
review of Escode and strategic review of the Cyber business costs). For further details, please refer to unaudited Appendix 1 and this Financial Review, which include an explanation of
APMs and adjusting items, along with a reconciliation to statutory information.
3 Management have allocated £6.8m of these costs to Escode which have been included within the administrative expenses above. To reconcile to Escode’s statutory operating profit,
these costs are reallocated to central and head office administrative expenses in accordance with the requirements of IFRS 5 on discontinued operations. This is due to the fact that if an
operation is disposed of, the relevant central overheads may not decrease in the short term.
On the basis we are comparing a 12 month period to a 16 month
period, revenue decreased by 28.0% on a constant currency basis
(actual rates: 28.9%), with total Cyber Security revenue decreasing
29.3% on a constant currency basis (actual rates: 30.2%) and Escode
decreasing by 22.8% on a constant currency basis (actual rates: 23.9%).
Encouragingly, when you directly compare our overall gross margins,
we have improved since the 16 month period ended 30 September
2024 with gross margin percentage increasing to 44.5% (2024: 41.6%).
This +2.9% pts in gross margin is driven by improved utilisation and
operational efficiencies within Cyber Security, together with a
continued shift in the service mix, as Managed Services accounts for
agrowing proportion of overall revenue at a higher margin. This has
also been boosted by an improvement in Escode gross profit margin,
increasing to 71.4% from 69.5% due to the continued benefits arising
from previous investments within Escode. Administrative expenses
(excluding share-based payments, depreciation and amortisation, and
amortisation of acquired intangibles) have decreased from £124.8m
inthe 16 month period ended 30 September 2024 to £89.2m. This is
predominantly driven by lower payroll related costs on the basis we
arecomparing a 12 month period to a 16 month period.
Strategic report
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 41

Overview of financial performance continued
Year ended 30 September 2025 compared to the 16 month
period ended 30 September 2024 continued
A profit before taxation of £20.6m (inclusive of Escode) for the year
wasrecognised after incurring £1.9m (credit) of Individually Significant
Items (including the profit on disposal of Fox Crypto, fundamental
re-organisation costs and the strategic review of both the Escode and
Cyber businesses). This profit before taxation was driven in part by the
£11.4m gain on disposal of Fox Crypto, following completion during the
year. This gave rise to a basic EPS of 5.6p and diluted EPS of 5.5p
(2024: basic and diluted (10.4p)). Adjusted basic EPS
1
amounted to
4.7p and 4.6p (2024: basic and diluted 3.4p).
Net cash excluding lease liabilities
1
amounts to £13.1m (2024: net debt
excluding lease liabilities
1
of £45.3m), reflecting the repayment of the
Group’s borrowings following the successful completion of the Fox
Crypto disposal.
The Group’s Balance Sheet remains strong following the successful
refinancing completed in April 2025. At that time, the Group entered
into a new four year, £120m multi-currency revolving credit facility
(RCF) with a syndicate of four banks and including an uncommitted
£50m accordion option. This new unsecured facility replaces the
previous £162.5m RCF due to expire in December 2026.
Financial review continued
Year ended 30 September 2025 compared to pro forma 12 months to 30 September 2024
The following table summarises the results for the year ended 30 September 2025 compared to the unaudited 12 month pro forma period
ended30September 2024.
Year ended 30 September 2025 12 month pro forma period ended 30 September 2024
Cyber
Security
£m
Central
and
head
office
£m
Sub-
total
£m
Crypto
and
DetACT
£m
Sub-
total
£m
Discontinued
operations
3
:
Escode
£m
Group
£m
Cyber
Security
£m
Central
and
head
office
£m
Sub-
total
£m
Crypto
and
DetACT
£m
Sub-
total
£m
Discontinued
operations:
Escode
£m
Group
£m
Revenue 227.4 — 227.4 11.5 238.9 66.5 305.4 239.2 — 239.2 24.0 263.2 66.0 329.2
Cost of sales (14 4.1) — (14 4.1) (6.4) (150.5) (19.0) (169.5) (150.7) — (150.7) (15.0) (165.7) (20.6) (186.3)
Gross profit 83.3 — 83.3 5.1 88.4 47.5 135.9 88.5 — 88.5 9.0 97. 5 45.4 142.9
Gross margin % 36.6% — 36.6% 44.3% 37.0% 71.4% 44.5% 37. 0 % — 37.0 % 37.5% 37.0% 68.8% 43.4%
Administrative
expenses
3
(66.4) (4.4) (70.8) (2.0) (72.8) (16.4) (89.2) (69.9) (3.2) ( 73.1) (1.4) (74.5) (16.9) (91.4)
Share-based
payments (0.2) (2.6) (2.8) — (2.8) (0.2) (3.0) (0.1) (1.6) (1.7) — (1.7) (0.1) (1.8)
Adjusted
EBITDA
1,2
16.7 (7.0) 9.7 3.1 12.8 30.9 43.7 18.5 (4.8) 13.7 7.6 21.3 28.4 49.7
Depreciation
and amortisation (7.6) (3.1) (10.7) (0.2) (10.9) (1.0) (11.9) (8.5) (3.7) (12.2) (0.1) (12.3) (0.5) (12.8)
Amortisation of
acquired
intangibles (0.9) (2 .1) (3.0) (0.1) (3.1) (5.0) (8.1) (1.1) (3.0) (4.1) — (4.1) (5.3) (9.4)
Adjusted
operating
profit/(loss)
1,2
8.2 (12.2) (4.0) 2.8 (1.2) 24.9 23.7 8.9 (11.5) (2.6) 7.5 4.9 22.6 27.5
Individually
Significant Items (3.9) 5.8 1.9 — 1.9 — 1.9 (38.9) — (38.9) — (38.9) (0.1) (39.0)
Operating
profit/(loss) 4.3 (6.4) (2 .1) 2.8 0.7 24.9 25.6 (30.0) (11.5) (41.5) 7.5 (34.0) 22.5 (11.5)
Operating
margin % 1.9% N/A (0.9%) 24.3% 0.3% 37.4% 8.4% (12.5%) N/A (17. 3%) 31.3% (12.9%) 34.1% (3.5%)
Finance costs       (5.0)    (6.3)
Profit/(loss)
before taxation       20.6   (17. 8)
Taxation       (3.5)   (7.3)
Profit/(loss)
after taxation       17.1   (25 .1)
EPS         
Basic EPS 5.6p (8 .1p)
Adjusted basic
EPS
1,2
  4.7p  5.2p
NCC Group plc — Annual report and accounts for the year ended 30 September 202542

1 Revenue at constant currency, Adjusted EBITDA, Adjusted operating profit, Adjusted basic EPS, net cash/(debt) excluding lease liabilities and cash conversion are Alternative
Performance Measures (APMs) and not IFRS measures. See unaudited Appendix 1 and this Financial Review for an explanation of APMs and adjusting items, including a reconciliation
to statutory information.
2 The Group reports only one adjusted item: Individually Significant Items (which includes the £11.4m profit on disposal of Fox Crypto and £9.5m of fundamental re-organisation, strategic
review of Escode and strategic review of Cyber costs). For further details, please refer to unaudited Appendix 1 and this Financial Review, which include an explanation of APMs and
adjusting items, along with a reconciliation to statutory information.
3 Management have allocated £6.8m of these costs to Escode which have been included within the administrative expenses above. To reconcile to Escode’s statutory operating profit,
these costs are reallocated to central and head office administrative expenses in accordance with the requirements of IFRS 5 on discontinued operations. This is due to the fact that if an
operation is disposed of, the relevant central overheads may not decrease in the short term.
Total revenue has decreased by 6.2% on a constant currency basis
(actual rates: (7.2%)), with Cyber Security revenue (excluding non-core
disposals) decreasing by 4.0% on a constant currency basis (actual
rates: (4.9%)) and Escode growing by 2.2% on a constant currency
basis (actual rates: 0.8%). The Escode revenue increase has
predominantly been driven by favourable price increases and volume
during the year within verification services
Turning to Cyber Security revenue trajectory during the year, the UK
and APAC declined by 0.6% at constant currency (actual rates: (0.8%)),
and North America declined by 12.9% (actual rates: (15.4%)). These
reductions have been driven primarily by declines in their respective
TAS markets, as demand has recovered more slowly than expected
year on year. Encouragingly, the UK and APAC improved by 5.5% at
actual rates when comparing H2 2025 with H1 2025, driven primarily
by improvements within the UK’s C&I business.
Year on year we have experienced continued growth in our Managed
Services performance by 2.8% at constant currency (actual rates:
2.6%) which has mainly been driven by our European MS business,
with this growth continuing when comparing H2 2025 with H1 2025.
Additionally, we have seen year-on-year growth in our C&I business
of16.6% at constant currency (actual rates: 14.9%) which has been
driven by increased demand within our UK markets. Similarly to our MS
business from a trajectory perspective we have seen continued growth
within our UK C&I business when comparing H2 2025 to H1 2025.
Year-on-year gross profit has decreased by 4.9% to £135.9m; however,
gross profit margin has favourably increased to 44.5% (reflecting an
increase of 1.1% pts) mainly driven by an improvement in Escode of
2.6% pts (noting Cyber Security excluding non-core disposals has
remained broadly flat at c.37%). Encouragingly, comparing H2 2025
with H1 2025 Cyber Security gross margin has increased by 2.0% pts
to 38.0% reflecting the increased shift in mix towards the higher margin
Managed Services business.
Administrative expenses (excluding share-based payments,
depreciation and amortisation, and amortisation of acquired intangibles)
have decreased by 2.4% from £91.4m to £89.2m, after taking into
account inflationary wage increases. This movement was primarily
driven by lower payroll costs (following the globalisation of certain back
office functions to Manila) and savings in rent and rates during the
year,offset by unfavourable exchange rate movements.
Alternative Performance Measures (APMs)
Throughout this Financial Review, certain APMs are presented.
TheAPMs used by the Group are not defined terms under IFRS
andtherefore may not be comparable with similarly titled measures
reported by other companies. They are not intended to be a substitute
for, or superior to, IFRS measures. This presentation is also consistent
with the way that financial performance is measured by management
and reported to the Board, and the basis of financial measures for senior
management’s compensation scheme, and provides supplementary
information that assists the user in understanding the financial
performance, position and trends of the Group.
We believe these APMs provide readers with important additional
information on our business, and this information is relevant for use
byinvestors, securities analysts and other interested parties as
supplemental measures of future potential performance. However,
since statutory measures can differ significantly from the APMs and
may be assessed differently by the reader, we encourage you to
consider these figures together with statutory reporting measures
noted. Specifically, we would note that APMs may not be comparable
across different companies and that certain profit related APMs may
exclude recurring business transactions (e.g. acquisition related costs)
that impact financial performance and cash flows.
As previously reported, the Group only discloses one adjusted item:
“Individually Significant Items” (which includes the £11.4m profit on
disposal of Fox Crypto and £9.5m of fundamental re-organisation,
strategic review of Escode costs and strategic review of the Cyber
business costs). As the £11.4m profit on disposal of Crypto represents
a material gain, it has been disclosed separately on the face of the
statutory income statement within the Group’s consolidated Income
Statement. The Group has the following APMs/non-statutory measures:
•
Adjusted EBITDA (reconciled below)
•
Adjusted operating profit (reconciled below)
•
Adjusted profit for the year (reconciled below)
•
Adjusted basic EPS (pence) (reconciled below)
•
Net cash/(debt) excluding lease liabilities (reconciled below)
•
Net cash/(debt) (reconciled below)
•
Cash conversion which includes Adjusted EBITDA (reconciled below)
•
Constant currency revenue (reconciled below)
The above APMs are consistent with those reported for the 16 month
period ended 30 September 2024.
The Group reports certain geographic regions and service capabilities
on a constant currency basis to reflect the underlying performance
considering constant foreign exchange rates period on period. This
involves translating comparative numbers to current period rates for
comparability to enable a growth factor to be calculated. As these
measures are not statutory revenue numbers, management considers
these to be APMs; see unaudited Appendix 1 for further details.
The following tables reconciles how these changes have affected the
historical measures of Adjusted EBITDA, Adjusted operating profit,
Adjusted profit for the period, Adjusted basic EPS and cash conversion,
which includes Adjusted EBITDA:
Strategic report
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 43

Alternative Performance Measures (APMs) continued
Adjusted EBITDA and Adjusted operating profit
1
Adjusted EBITDA
1
and Adjusted operating profit
1,2
are reconciled to statutory measures below:
Year ended
30 September
2025
£m
16 month
period ended
30 September
2024
£m
Operating profit/(loss) from continuing operations
3
0.7 (47. 8)
Operating profit from discontinuing operations
3
24.9 28.6
Operating profit/(loss) 25.6 (19.2)
Depreciation and amortisation 11.9 16.8
Amortisation of acquired intangibles 8.1 12.5
Individually Significant Items (1.9) 41.5
Adjusted EBITDA
1,2
43.7 51.6
Depreciation, amortisation and amortisation charge on acquired intangibles (20.0) (29.3)
Adjusted operating profit
1,2
23.7 22.3
Year ended
30 September
2025
£m
12 month
period ended
30 September
2024
£m
%
change
Cyber Security (excluding Crypto and DetACT) 16.7 18.5 (9.7%)
Central and head office (7.0) (4.8) (45.8%)
Escode (discontinued operations) 30.9 28.4 8.8%
Total Adjusted EBITDA
1,2
(excluding Crypto and DetACT) 40.6 42.1 (3.6%)
Crypto and DetACT 3.1 7.6 (59.2%)
Total Adjusted EBITDA
1,2
43.7 49.7 (12.1%)
1 Revenue at constant currency, Adjusted EBITDA, Adjusted operating profit, Adjusted basic EPS, net cash/(debt) excluding lease liabilities and cash conversion are Alternative Performance
Measures (APMs) and not IFRS measures. See unaudited Appendix 1 and this Financial Review for an explanation of APMs and adjusting items, including a reconciliation to statutory information.
2 The Group reports only one adjusted item: Individually Significant Items (includes the £11.4m profit on disposal of Fox Crypto and £9.5m of re-organisation, strategic review of Escode
costs and strategic review of the Cyber business costs). For further details, please refer to unaudited Appendix 1 and the Financial Review, which includes an explanation of APMs and
adjusting items, along with a reconciliation to statutory information.
3 During the year, Escode incurred £6.8m (2024: £9.6m) of allocated head office overheads, which have been included within Escode’s administrative expenses. To reconcile to Escode’s
statutory operating profit, these costs are reallocated to central and head office administrative expenses in accordance with the requirements of IFRS 5 on discontinued operations.
Revenue summary
Comparing the year ended 30 September 2025 with the prior 16 month period ended 30 September 2024, overall revenue is analysed as follows:
Year ended
30 September
2025
£m
16 month
period ended
30 September
2024
£m
% change
at actual rates
Year ended
30 September
2025
£m
Constant
currency
1
16 month
period ended
30 September
2024
£m
% change at
constant
currency
1
Cyber Security revenue 238.9 342.1 (30.2%) 238.9 338.0 (29.3%)
Escode (discontinued operations) 66.5 87.4 (23.9%) 66.5 8 6.1 (22.8%)
Total revenue 305.4 429.5 (28.9%) 305.4 424.1 (28.0%)
Comparing year on year, overall revenue is analysed as follows:
Year ended
30 September
2025
£m
Year ended
30 September
2024
£m
% change
at actual rates
Year ended
30 September
2025
£m
Constant
currency
1
12 month
period ended
30 September
2024
£m
% change at
constant
currency
1
Cyber Security revenue (excluding Crypto and DetACT) 227. 4 239.2 (4.9%) 227.4 236.8 (4.0%)
Crypto and DetACT 11.5 24.0 (52.1%) 11.5 23.7 (51.5%)
Total Cyber Security revenue 238.9 263.2 (9.2%) 238.9 260.5 (8.3%)
Escode (discontinued operations) 66.5 66.0 0.8% 66.5 65.1 2.2%
Total revenue 305.4 329.2 (7. 2%) 305.4 325.6 (6.2%)
Financial review continued
NCC Group plc — Annual report and accounts for the year ended 30 September 202544

Year ended
30 September
2025
£m
Year ended
30 September
2024
£m
% change
at actual rates
Year ended
30 September
2025
£m
Constant
currency
1
12 month
period ended
30 September
2024
£m
% change at
constant
currency
1
Cyber Security revenue (excluding Crypto and DetACT) 227. 4 239.2 (4.9%) 227.4 236.8 (4.0%)
Escode (discontinued operations) 66.5 66.0 0.8% 66.5 65.1 2.2%
Total revenue (excluding Crypto and DetACT) 293.9 305.2 (3.7%) 293.9 301.9 (2.6%)
Crypto and DetACT 11.5 24.0 (52.1%) 11.5 23.7 (51.5%)
Total revenue 305.4 329.2 (7. 2%) 305.4 325.6 (6.2%)
Comparing the two halves of the year against their respective prior period comparatives is as follows:
6 month
period ended
31 March
2025
£m
6 month
period ended
31 March
2024
£m
% change
at actual rates
6 month
period ended
31 March
2025
£m
Constant
currency
1
6 month
period ended
31 March
2024
£m
% change at
constant
currency
1
Cyber Security revenue (excluding Crypto and DetACT) 112.0 120.8 (7.3%) 112.0 119. 5 (6.3%)
Crypto and DetACT 11.5 13.1 (12.2%) 11.5 12.7 (9.4%)
Total Cyber Security revenue 123.5 133.9 ( 7.8%) 123.5 132.2 (6.6%)
Escode (discontinued operations) 33.3 32.9 1.2% 33.3 32.7 1.8%
Total revenue 156.8 166.8 (6.0%) 156.8 164.9 (4.9%)
6 month
period ended
30 September
2025
£m
6 month
period ended
30 September
2024
£m
% change
at actual rates
6 month
period ended
30 September
2025
£m
Constant
currency
1
6 month
period ended
30 September
2024
£m
% change at
constant
currency
1
Cyber Security revenue (excluding Crypto and DetACT) 115.4 118.4 (2.5%) 115.4 117. 3 (1.6%)
Crypto and DetACT — 10.9 (100.0%) — 11.0 (100.0%)
Total Cyber Security revenue 115.4 129.3 (10.8%) 115.4 128.3 (10.1%)
Escode (discontinued operations) 33.2 3 3.1 0.3% 33.2 32.4 2.5%
Total revenue 148.6 162.4 (8.5%) 148.6 160.7 (7.5%)
From an overall revenue trajectory perspective by originating region, the following tables compare H2 2025 performance with H1 2025:
6 month
period ended
30 September
2025
£m
6 month
period ended
31 March
2025
£m
% change
at actual rates
Cyber Security revenue (excluding Crypto and DetACT) 115.4 112.0 3.0%
Crypto and DetACT — 11.5 (100.0%)
Total Cyber Security revenue 115.4 123.5 (6.6%)
Escode (discontinued operations) 33.2 33.3 (0.3%)
Total revenue 148.6 156.8 (5.2%)
1 Revenue at constant currency is an unaudited Alternative Performance Measures (APMs) and not an IFRS measure. See unaudited Appendix 1 for an explanation of APMs and adjusting
items, including a reconciliation to statutory information.
Strategic report
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 45

Gross profit summary
Year ended
30 September
2025
£m
Year ended
30 September
2025
% margin
12 month
period ended
30 September
2024
£m
12 month
period ended
30 September
2024
% margin
% pts
change
Cyber Security gross profit (excluding Crypto and DetACT) 83.3 36.6% 88.5 37. 0 % (0.4%)
Escode (discontinued operations) 47.5 71.4% 45.4 68.8% 2.6%
Total gross profit (excluding Crypto and DetACT) 130.8 44.5% 133.9 43.9% 0.6%
Crypto and DetACT 5.1 44.3% 9.0 37. 5% 6.8%
Total gross profit and % margin 135.9 44.5% 142.9 43.4% 1.1%
Divisional performance
The following sections summarise the Group’s divisional performance for the year ended 30 September 2025, following the 16 month period ended
30 September 2024. It also compares the results for the year ended 30 September 2025 with the unaudited 12 months to 30 September 2024, including
an analysis of each year’s composition by reviewing the first and second halves and their respective comparative periods (unaudited).
Cyber Security
The Cyber Security division accounts for 78.2% of Group revenue (16 month period ended 30 September 2024: 79.7%) and 65.0% of Group gross
profit (16 month period ended 30 September 2024: 66.0%).
Cyber Security revenue analysis – by originating region:
Year ended
30 September
2025
£m
16 month
period ended
30 September
2024
£m
% change
at actual rates
Year ended
30 September
2025
£m
Constant
currency
1
16 month
period ended
30 September
2024
£m
% change at
constant
currency
1
UK and APAC 134.4 173.3 (22.4%) 134.4 172.8 (22.2%)
North America 56.7 90.7 (37.5%) 56.7 88.0 (35.6%)
Europe 47.8 78.1 (38.8%) 47.8 77. 2 (3 8.1%)
Total Cyber Security revenue 238.9 3 42.1 (30.2%) 238.9 338.0 (29.3%)
Cyber Security revenue, analysed year on year by originating region, is as follows:
Year ended
30 September
2025
£m
12 month
period ended
30 September
2024
£m
% change
at actual rates
Year ended
30 September
2025
£m
Constant
currency
1
12 month
period ended
30 September
2024
£m
% change at
constant
currency
1
UK and APAC 134.4 135.5 (0.8%) 134.4 135.2 (0.6%)
North America 56.7 67.0 (15.4%) 56.7 6 5.1 (12.9%)
Europe (excluding Crypto and DetACT) 36.3 36.7 (1.1%) 36.3 36.5 (0.5%)
Cyber Security revenue (excluding Crypto and DetACT) 227.4 239.2 (4.9%) 227. 4 236.8 (4.0%)
Crypto and DetACT 11.5 24.0 (52.1%) 11.5 23.7 (51.5%)
Total Cyber Security revenue 238.9 263.2 (9.2%) 238.9 260.5 (8.3%)
Comparing the two halves of the year against their respective prior period comparatives, Cyber Security revenue by originating region is analysed
as follows:
6 month
period ended
31 March
2025
£m
6 month
period ended
31 March
2024
£m
% change
at actual rates
6 month
period ended
31 March
2025
£m
Constant
currency
1
6 month
period ended
31 March 2024
£m
% change at
constant
currency
1
UK and APAC 65.4 69.1 (5.4%) 65.4 69.0 (5.2%)
North America 28.6 33.4 (14.4%) 28.6 32.9 (13.1%)
Europe (excluding Crypto and DetACT) 18.0 18.3 (1.6%) 18.0 17.6 2.3%
Cyber Security revenue (excluding Crypto and DetACT) 112.0 120.8 ( 7. 3%) 112.0 119.5 (6.3%)
Crypto and DetACT 11.5 13.1 (12.2%) 11.5 12.7 (9.4%)
Total Cyber Security revenue 123.5 133.9 ( 7.8%) 123.5 132.2 (6.6%)
Financial review continued
NCC Group plc — Annual report and accounts for the year ended 30 September 202546

6 month
period ended
30 September
2025
£m
6 month
period ended
30 September
2024
£m
% change
at actual rates
6 month
period ended
30 September
2025
£m
Constant
currency
1
6 month
period ended
30 September
2024
£m
% change at
constant
currency
1
UK and APAC 69.0 66.4 3.9% 69.0 66.2 4.2%
North America 28.1 33.6 (16.4%) 28.1 32.2 (12.7%)
Europe (excluding Crypto and DetACT) 18.3 18.4 (0.5%) 18.3 18.9 (3.2%)
Cyber Security revenue (excluding Crypto and DetACT) 115.4 118.4 (2.5%) 115.4 117. 3 (1.6%)
Crypto and DetACT — 10.9 (100.0%) — 11.0 (100.0%)
Total Cyber Security revenue 115.4 129.3 (10.8%) 115.4 128.3 (10.1%)
From a Cyber Security revenue trajectory perspective by originating region, the following tables compare H2 2025 performance with H1 2025:
6 month
period ended
30 September
2025
£m
6 month
period ended
31 March 2025
£m
% change
at actual rates
UK and APAC 69.0 65.4 5.5%
North America 28.1 28.6 (1.7%)
Europe (excluding Crypto and DetACT) 18.3 18.0 1.7%
Cyber Security revenue (excluding Crypto and DetACT) 115.4 112.0 3.0%
Crypto and DetACT — 11.5 (100.0%)
Total Cyber Security revenue 115.4 123.5 (6.6%)
Cyber Security revenue analysis – by type of service and capability:
Year ended
30 September
2025
£m
16 month
period ended
30 September
2024
£m
% change
at actual rates
Year ended
30 September
2025
£m
Constant
currency
1
16 month
period ended
30 September
2024
£m
% change at
constant
currency
1
Technical Assurance Services (TAS) 88.4 141.4 (37.5%) 88.4 138.9 (36.4%)
Consulting and Implementation (C&I) 48.5 55.2 (12.1%) 48.5 54.6 (11.2%)
Managed Services (MS) 76.4 91.8 (16.8%) 76.4 91.2 (16.2%)
Digital Forensics and Incident Response (DFIR) 13.1 20.6 (36.4%) 13.1 20.4 (35.8%)
Other services 12.5 33.1 (62.2%) 12.5 32.6 (61.7%)
Total Cyber Security revenue 238.9 3 42.1 (30.2%) 238.9 333.7 (28.4%)
Cyber Security revenue, analysed year on year by service and capability, is as follows:
Year ended
30 September
2025
£m
12 month
period ended
30 September
2024
£m
% change
at actual rates
Year ended
30 September
2025
£m
Constant
currency
1
12 month
period ended
30 September
2024
£m
% change at
constant
currency
1
Technical Assurance Services (TAS) 88.4 105.6 (16.3%) 88.4 104.0 (15.0%)
Consulting and Implementation (C&I) 48.5 42.2 14.9% 48.5 41.6 16.6%
Managed Services (MS) 76.4 74.5 2.6% 76.4 74.3 2.8%
Digital Forensics and Incident Response (DFIR) 13.1 15.1 (13.2%) 13.1 15.0 (12.7%)
Other services 1.0 1.8 (44.4%) 1.0 1.9 (47. 4%)
Cyber Security revenue (excluding Crypto and DetACT) 227.4 239.2 (4.9%) 227. 4 236.8 (4.0%)
Crypto and DetACT 11.5 24.0 (52.1%) 11.5 23.7 (51.5%)
Total Cyber Security revenue 238.9 263.2 (9.2%) 238.9 260.5 (8.3%)
Strategic report
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 47

Divisional performance continued
Cyber Security continued
Comparing the two halves of the year against their respective prior period comparatives, Cyber Security revenue by service and capability is
analysed as follows:
6 month
period ended
31 March
2025
£m
6 month
period ended
31 March
2024
£m
% change
at actual rates
6 month
period ended
31 March
2025
£m
Constant
currency
1
6 month
period ended
31 March 2024
£m
% change at
constant
currency
1
Technical Assurance Services (TAS) 45.6 52.9 (13.8%) 45.6 52.2 (12.6%)
Consulting and Implementation (C&I) 21.9 22.7 (3.5%) 21.9 22.5 (2.7%)
Managed Services (MS) 37.7 36.9 2.2% 37.7 36.6 3.0%
Digital Forensics and Incident Response (DFIR) 6.3 7.7 (18.2%) 6.3 7.6 (17.1%)
Other services 0.5 0.5 — 0.5 0.6 (16.7%)
Cyber Security revenue (excluding Crypto and DetACT) 112.0 120.7 ( 7. 2 %) 112.0 119.5 (6.3%)
Crypto and DetACT 11.5 13.2 (12.9%) 11.5 12.7 (9.4%)
Total Cyber Security revenue 123.5 133.9 ( 7.8%) 123.5 132.2 (6.6%)
6 month
period ended
30 September
2025
£m
6 month
period ended
30 September
2024
£m
% change
at actual rates
6 month
period ended
30 September
2025
£m
Constant
currency
1
6 month
period ended
30 September
2024
£m
% change at
constant
currency
1
Technical Assurance Services (TAS) 42.8 52.8 (18.9%) 42.8 51.8 (17.4%)
Consulting and Implementation (C&I) 26.6 19.5 36.4% 26.6 19.1 39.3%
Managed Services (MS) 38.7 37.5 3.2% 38.7 37.7 2.7%
Digital Forensics and Incident Response (DFIR) 6.8 7.4 (8.1%) 6.8 7.4 (8.1%)
Other services 0.5 1.4 (64.3%) 0.5 1.3 (61.5%)
Cyber Security revenue (excluding Crypto and DetACT) 115.4 118 .6 (2.7%) 115.4 117. 3 (1.6%)
Crypto and DetACT — 10.7 (100.0%) — 11.0 (100.0%)
Total Cyber Security revenue 115.4 129.3 (10.8%) 115.4 128.3 (10.1%)
From a Cyber Security revenue trajectory perspective by service and capability, the following tables compare H2 2025 performance with H1 2025:
6 month
period ended
30 September
2025
£m
6 month
period ended
31 March
2025
£m
% change
at actual
rates
Technical Assurance Services (TAS) 42.8 45.6 (6 .1%)
Consulting and Implementation (C&I) 26.6 21.9 21.5%
Managed Services (MS) 38.7 37.7 2.7%
Digital Forensics and Incident Response (DFIR) 6.8 6.3 7. 9 %
Other services 0.5 0.5 —
Cyber Security revenue (excluding Crypto and DetACT) 115.4 112.0 3.0%
Crypto and DetACT — 11.5 (100.0%)
Total Cyber Security revenue 115.4 123.5 (6.6%)
1 Revenue at constant currency is an unaudited Alternative Performance Measures (APMs) and not an IFRS measure. See unaudited Appendix 1 for an explanation of APMs and adjusting
items, including a reconciliation to statutory information.
Financial review continued
NCC Group plc — Annual report and accounts for the year ended 30 September 202548

Cyber Security gross profit is analysed as follows:
Year ended
30 September
2025
£m
Year ended
30 September
2025
% margin
16 month
period ended
30 September
2024
£m
16 month
period ended
30 September
2024
% margin
% pts
change
UK and APAC 54.2 40.3% 72.5 41.8% (1.5%)
North America 16.1 28.4% 18.4 20.3% 8.1%
Europe 18.1 37.9% 27.1 34.7% 3.2%
Cyber Security gross profit and % margin 88.4 37.0% 118.0 34.5% 2.5%
Cyber Security gross margins increased overall by +2.5 percentage points, driven by improvements in North American and European margins, which
reflect ongoing benefits from headcount reduction cost savings/improved utilisation in these markets.
Year ended
30 September
2025
£m
Year ended
30 September
2025
% margin
12 month
period ended
30 September
2024
£m
12 month
period ended
30 September
2024
% margin
% pts
change
UK and APAC 54.2 40.3% 61.3 45.2% (4.9%)
North America 16.1 28.4% 14.8 22.1% 6.3%
Europe 13.0 35.8% 12.4 33.8% 2.0%
Cyber Security gross profit (excluding Crypto and DetACT) 83.3 36.6% 88.5 37.0 % (0.4%)
Crypto and DetACT 5.1 44.3% 9.0 37.5% 6.8%
Cyber Security gross profit and % margin 88.4 37.0% 97.5 37.0 % —
6 month
period ended
31 March
2025
£m
6 month
period ended
31 March
2025
% margin
6 month
period ended
31 March
2024
£m
6 month
period ended
31 March 2024
% margin
% pts
change
UK and APAC 26.6 40.7% 31.4 45.4% (4.7%)
North America 6.4 22.4% 7.4 22.2% 0.2%
Europe 6.4 35.6% 6.4 35.0% 0.6%
Cyber Security gross profit (excluding Crypto andDetACT) 39.4 35.2% 45.2 37.4% (2.2%)
Crypto and DetACT 5.1 44.3% 3.8 29.0% 15.3%
Cyber Security gross profit and % margin 44.5 36.0% 49.0 36.6% (0.6%)
6 month
period ended
30 September
2025
£m
6 month
period ended
30 September
2025
% margin
6 month
period ended
30 September
2024
£m
6 month
period ended
30 September
2024
% margin
% pts
change
UK and APAC 27.6 40.0% 29.9 45.0% (5.0%)
North America 9.7 34.5% 7.4 22.0% 12.5%
Europe 6.6 36.1% 6.0 32.6% 3.5%
Cyber Security gross profit (excluding Crypto and DetACT) 43.9 38.0% 43.3 36.6% 1.4%
Crypto and DetACT — — 5.2 47.7 % (47.7 %)
Cyber Security gross profit and % margin 43.9 38.0% 48.5 37.5% 0.5%
6 month
period ended
30 September
2025
£m
6 month
period ended
30 September
2025
% margin
6 month
period ended
31 March
2025
£m
6 month
period ended
31 March
2025
% margin
% pts
change
UK and APAC 27.6 40.0% 26.6 40.7% (0.7%)
North America 9.7 34.5% 6.4 22.4% 12.1%
Europe 6.6 36.1% 6.4 35.6% 0.5%
Cyber Security (excluding Crypto and DetACT) 43.9 38.0% 39.4 35.2% 2.8%
Crypto and DetACT — — 5 .1 44.3% (44.3%)
Cyber Security gross profit and % margin 43.9 38.0% 44.5 36.0% 2.0%
Strategic report
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 49

Financial review continued
Divisional performance continued
Escode (discontinued operations)
During the year, the Escode division accounted for 21.8% of Group revenue (16 month period ended 30 September 2024: 20.3%) and 35.0% of
Group gross profit (16 month period ended 30 September 2024: 34.0%).
Escode revenue analysis – by originating region:
Year ended
30 September
2025
£m
16 month
period
ended
30 September
2024
£m
% change at
actual rates
Year ended
30 September
2025
£m
Constant
currency
1
16 month
period ended
30 September
2024
£m
%
change at
constant
currency
UK 29.4 36.5 (19.5%) 29.4 36.5 (19.5%)
North America 32.9 45.5 (27.7%) 32.9 44.3 (25.7%)
Europe 4.2 5.4 (22.2%) 4.2 5.3 (20.8%)
Total Escode revenue 66.5 87.4 (23.9%) 66.5 8 6.1 (22.8%)
Escode revenue, analysed year on year by originating region, is as follows:
Year ended
30 September
2025
£m
Year ended
30 September
2024
£m
% change
at actual rates
Year ended
30 September
2025
£m
Constant
currency
1
Year ended
30 September
2024
£m
% change at
constant
currency
1
UK 29.4 28.0 5.0% 29.4 28.0 5.0%
North America 32.9 33.9 (2.9%) 32.9 33 .1 (0.6%)
Europe 4.2 4.1 2.4% 4.2 4.0 5.0%
Total Escode revenue 66.5 66.0 0.8% 66.5 65.1 2.2%
Escode revenue has increased by 2.2% at constant currency (0.8% at actual rates), which has predominantly been driven by favourable price
increases and volume during the year within verification services
Escode has seen consistent growth for the same reasons when comparing each half of the year, as reflected in the tables below. The following
analysis compares the two halves of the year against their respective prior period comparatives, showing Escode revenue by originating region:
6 month
period ended
31 March
2025
£m
6 month
period ended
31 March
2024
£m
% change
at actual rates
6 month
period ended
31 March
2025
£m
Constant
currency
1
6 month
period ended
31 March 2024
£m
% change at
constant
currency
1
UK 14.9 14.0 6.4% 14.9 14.0 6.4%
North America 16.4 16.8 (2.4%) 16.4 16.7 (1.8%)
Europe 2.0 2.1 (4.8%) 2.0 2.0 —
Total Escode revenue 33.3 32.9 1.2% 33.3 32.7 1.8%
6 month
period ended
30 September
2025
£m
6 month
period ended
30 September
2024
£m
% change
at actual rates
6 month
period ended
30 September
2025
£m
Constant
currency
1
6 month
period ended
30 September
2024
£m
% change at
constant
currency
1
UK 14.5 14.0 3.6% 14.5 13.9 4.3%
North America 16.5 17.1 (3.5%) 16.5 16.5 —
Europe 2.2 2.0 10.0% 2.2 2.0 10.0%
Total Escode revenue 33.2 3 3.1 0.3% 33.2 32.4 2.5%
NCC Group plc — Annual report and accounts for the year ended 30 September 202550

From an Escode revenue trajectory perspective by originating region, the following tables compare H2 2025 performance with H1 2025:
6 month
period ended
30 September
2025
£m
6 month
period ended
31 March
2025
£m
% change
at actual rates
6 month
period ended
30 September
2025
£m
Constant
currency
1
6 month
period ended
31 March 2025
£m
% change at
constant
currency
1
UK 14.5 14.9 (2.7%) 14.5 14.9 (2.7%)
North America 16.5 16.4 0.6% 16.5 15.5 6.5%
Europe 2.2 2.0 10.0% 2.2 2.1 4.8%
Total Escode revenue 33.2 33.3 (0.3%) 33.2 32.5 2.2%
Escode revenues analysed by service line:
Year ended
30 September
2025
£m
16 month
period ended
30 September
2024
£m
% change
at actual rates
Year ended
30 September
2025
£m
Constant
currency
1
16 month
period ended
30 September
2024
£m
% change at
constant
currency
1
Escrow contracts 43.0 57. 2 (24.8%) 43.0 56.5 (23.9%)
Verification services 23.5 30.2 (22.2%) 23.5 29.6 (20.6%)
Total Escode revenue 66.5 87.4 (23.9%) 66.5 8 6.1 (22.8%)
Escode revenue, analysed year on year by service line, is as follows:
Year ended
30 September
2025
£m
12 month
period ended
30 September
2024
£m
% change
at actual rates
Year ended
30 September
2025
£m
Constant
currency
1
12 month
period ended
30 September
2024
£m
% change at
constant
currency
1
Escrow contracts 43.0 43.0 — 43.0 42.5 1.2%
Verification services 23.5 23.0 2.2% 23.5 22.6 4.0%
Total Escode revenue 66.5 66.0 0.8% 66.5 65.1 2.2%
Comparing the two halves of the year against their respective prior period comparatives, Escode revenue by service line is analysed as follows:
6 month
period ended
31 March
2025
£m
6 month
period ended
31 March
2024
£m
% change
at actual rates
6 month
period ended
31 March
2025
£m
Constant
currency
1
6 month
period ended
31 March 2024
£m
% change at
constant
currency
1
Escrow contracts 22.0 22.0 — 22.0 21.8 0.9%
Verification services 11.3 10.9 3.7% 11.3 10.9 3.7%
Total Escode revenue 33.3 32.9 1.2% 33.3 32.7 1.8%
6 month
period ended
30 September
2025
£m
6 month
period ended
30 September
2024
£m
% change
at actual rates
6 month
period ended
30 September
2025
£m
Constant
currency
1
6 month
period ended
30 September
2024
£m
% change at
constant
currency
1
Escrow contracts 21.0 21.0 — 21.0 20.7 1.4%
Verification services 12.2 12.1 0.8% 12.2 11.7 4.3%
Total Escode revenue 33.2 3 3.1 0.3% 33.2 32.4 2.5%
From an Escode service line revenue trajectory perspective the following tables compare H2 2025 against H1 2025 performance:
Strategic report
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 51

Divisional performance continued
Escode (discontinued operations) continued
6 month
period ended
30 September
2025
£m
6 month
period ended
31 March
2025
£m
% change
at actual rates
6 month
period ended
30 September
2025
£m
Constant
currency
1
6 month
period ended
31 March 2025
£m
% change at
constant
currency
1
Escrow contracts 21.0 22.0 (4.5%) 21.0 21.4 (1.9%)
Verification services 12.2 11.3 8.0% 12.2 11.1 9.9%
Total Escode revenue 33.2 33.3 (0.3%) 33.2 32.5 2.2%
1 Revenue at constant currency is an unaudited Alternative Performance Measures (APMs) and not an IFRS measure. See unaudited Appendix 1 for an explanation of APMs and adjusting
items, including a reconciliation to statutory information.
Escode gross margin, by originating region, is analysed as follows:
Year ended
30 September
2025
£m
Year ended
30 September
2025
% margin
16 month
period ended
30 September
2024
£m
16 month
period ended
30 September
2024
% margin
% pts
change
UK 20.6 70.1% 24.8 67.9 % 2.2%
North America 23.9 72.6% 32.6 71.6% 1.0%
Europe 3.0 71.4% 3.3 61.1% 10.3%
Escode gross profit and % margin 47.5 71.4% 60.7 69.5% 1.9%
Escode gross margin, analysed year on year by originating region, is as follows:
Year ended
30 September
2025
£m
Year ended
30 September
2025
% margin
12 month
period ended
30 September
2024
£m
12 month
period ended
30 September
2024
% margin
% pts
change
UK 20.6 70.1% 19.0 67.9% 2.2%
North America 23.9 72.6% 24.1 71.1% 1.5%
Europe 3.0 71.4% 2.3 56 .1% 15.3%
Escode gross profit and % margin 47.5 71.4% 45.4 68.8% 2.6%
Escode gross margin has increased by +2.6% pts, with UK and North America increasing by +2.2% pts and +1.5% pts respectively and Europe
increasing by +15.3%. This is due to the continued benefits arising from previous investments enabling Escode to achieve sustainable revenue
growth and gross margin improvements. The improvement in gross margin was driven primarily by favourable price increases and operating efficiencies.
Comparing the two halves of the year against their respective prior period comparatives, Escode gross profit by originating region is analysed as follows:
6 month
period ended
31 March
2025
£m
6 month
period ended
31 March
2025
% margin
6 month
period ended
31 March
2024
£m
6 month
period ended
31 March
2024
% margin
% pts
change
UK 10.2 68.5% 9.5 67. 9 % 0.6%
North America 11.7 71.3% 11.7 69.6% 1.7%
Europe 1.4 70.0% 1.2 57.1% 12.9%
Escode gross profit and % margin 23.3 70.0% 22.4 68.1% 1.9%
6 month
period ended
30 September
2025
£m
6 month
period ended
30 September
2025
% margin
6 month
period ended
30 September
2024
£m
6 month
period ended
30 September
2024
% margin
% pts
change
UK 10.4 71.7% 9.5 67. 9 % 3.8%
North America 12.2 73.9% 12.4 72.5% 1.4%
Europe 1.6 72.7% 1.1 55.0% 17.7%
Escode gross profit and % margin 24.2 72.9% 23.0 69.5% 3.4%
Financial review continued
NCC Group plc — Annual report and accounts for the year ended 30 September 202552

When comparing H2 2025 performance to H1 2025, the following table summarises the gross margin trajectory:
6 month
period ended
30 September
2025
£m
6 month
period ended
30 September
2025
% margin
6 month
period ended
31 March
2025
£m
6 month
period ended
31 March
2025
% margin
% pts
change
UK 10.4 71.7% 10.2 68.5% 3.2%
North America 12.2 73.9% 11.7 71.3% 2.6%
Europe 1.6 72.7% 1.4 70.0% 2.7%
Escode gross profit and % margin 24.2 72.9% 23.3 70.0% 2.9%
Overall Escode gross margin has increased by 2.9% in H2 2025 compared to H1 2025. This is predominantly driven by an improvement in UK and
North America Escode which have increased by 3.2% and 2.6% respectively. These improvements continue to reflect an increased shift towards a
more global operating model for Escode, following the change in sales team structure during the year.
Individually Significant Items
During the year, the Group has incurred a £1.9m credit in Individually
Significant Items (ISIs) (2024: £41.5m) as follows:
2025
£m
2024
£m
Fundamental re-organisation costs 3.9 9.4
Costs associated with strategic review of
Escode business 3.8 0.1
Costs associated with strategic review of
Cyber business 1.8 —
Profit on disposal of DetACT/DDI — (1.5)
North America Cyber Security
goodwillimpairment — 31.9
Transaction costs of Fox Crypto — 1.6
Total ISIs (excluding profit on disposal
of Fox Crypto) 9.5 41.5
Profit on disposal of Fox Crypto (11.4) —
Total ISIs (1.9) 41.5
The £11.4m gain on disposal of Fox Crypto recognised in the year
ended 30 September 2025 is calculated as cash consideration of £65.6m,
less net assets disposed of £52.3m, and less £2.0m of transaction
costs incurred during the year. The difference between the £11.4m gain
recorded in the year and the £9.8m overall gain (see Note 31) reflects
£1.5m of transaction costs incurred in the 16 month period ended
30September 2024, which are not included in the current year. In addition,
£0.1m of TSA income has been accrued during the year. As this represents
a material gain on disposal, it has been separately disclosed on the face
of the Groups statutory consolidated Income Statement.
ISIs also include £3.9m (2024: £9.4m) of fundamental re-organisation
costs as we continue to reshape the Group in line with its strategy, with
the current intention to complete the final phase by December 2025.
However, this will continue to be monitored as the transformation
strategy progresses as we ensure the operating model is market
aligned, and delivery is focused to support the underlying Cyber
Security business strategy.
£3.8m (2024: £0.1m) of professional fees in relation to the ongoing
strategic review of Escode have also been incurred during the year.
Regarding the strategic review of Cyber (the “Cyber Review”), professional
fees of £1.8m (2024: £nil) have been incurred during the year.
Finance costs
The Group’s finance costs (including discontinued operations of £0.1m)
for the year ended 30 September 2025 were £5.0m (2024: £8.3m).
This annualised reduction in finance costs resulted from the Group’s
repayment of external borrowings part way through the year, following
the receipt of gross cash proceeds of £65.6m from the completion of
the Fox Crypto disposal in March 2025.
Finance costs include lease financing costs of £1.1m (2024: £1.7m),
with a reduction due to the Group’s property rationalisation.
FY26 finance costs are expected to amount to c£1.8m, following the
Group’s expected net cash position.
Taxation
The Group’s effective statutory tax rate is 17.0% (2024: 18.2%), with
the Group’s adjusted tax rate is 22.5% (2024: 24.3%).
Earnings/(loss) per share (EPS)
Year ended
30 September
2025
16 month
period ended
30 September
2024
Statutory
Statutory profit/(loss) for the year/period
from continuing operations 17.1 (32.5)
Basic earnings/(loss) per share 5.6p (10.4p)
Diluted earnings/(loss) per share 5.5p (10.4p)
Adjusted
1
Adjusted profit for the year/period 14.5 10.6
Basic EPS 4.7p 3.4p
Diluted EPS 4.6p 3.4p
Weighted average number of
shares(million)
Basic 307.1 311.7
Diluted 312.3 313.2
1 See Note 3 of the Consolidated Financial Statements for the composition of how the
Group’s statutory profit/(loss) for the year/period is comprised between continuing
operations and discontinued operations.
Strategic report
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 53

Financial review continued
Earnings/(loss) per share (EPS) continued
Adjusted basic EPS
1
is reconciled as follows:
Year ended
30 September
2025
16 month
period ended
30 September
2024
Statutory profit/(loss) for the year/period 17.1 (32.5)
Individually Significant Items (Note 4)
2
9.5 39.9
(Profit on disposal)/transaction costs of Fox Crypto (Note 4)
2
(11.4) 1.6
Tax effect of Individually Significant Items (0.7) (5.8)
North America deferred tax asset derecognition (adjusting item) — 7.4
Adjusted profit for the year/period 14.5 10.6
Reconciliation of net debt
1
The table below summarises the Group’s cash flow and net debt
1
(including discontinued operations):
Year ended
30 September
2025
£m
Year ended 30
September
2024
£m
16 month
period ended
30 September
2024
£m
Operating cash inflow before movements in working capital 38.7 50.6 48.5
Movement in working capital and non-payables 1.2 (2.6) (10.1)
Cash generated from operating activities before interest and taxation 39.9 48.0 38.4
Interest element of lease payments (1.1) (1.6) (1.7)
Finance interest paid (3.3) (5.9) (6.0)
Taxation paid (2.0) (2.1) (4.3)
Net cash generated from operating activities 33.5 38.4 26.4
Purchase of property, plant and equipment (4.7) (4.3) (6.2)
Software and development expenditure (0.4) (1.3) (2.6)
Acquisition of trade and assets as part of a business combination — — (1.0)
Sale proceeds from business disposals 61.4 10.4 12.4
Equity dividends paid (19.0) (14.5) (14.5)
Repayment of lease liabilities (principal amount) (6.8) ( 7.9) (10.2)
Acquisition of treasury shares (5.8) (5.8) (5.8)
Proceeds from the issue of ordinary share capital 0.3 0.3 0.3
Net movement 58.5 15.3 (1.2)
Opening net debt (excluding lease liabilities)
1
(45.3) (67. 5) (49.6)
Non-cash movements (release of deferred issue costs) (0.5) (0.5) (0.6)
Foreign exchange movement 0.4 7.4 6 .1
Closing net cash/(debt) excluding lease liabilities
1
13.1 (45.3) (45.3)
Lease liabilities (19.5) (27.6) (27.6)
Closing net debt
1
(6.4) (72.9) (72.9)
1 Revenue at constant currency, Adjusted EBITDA, Adjusted operating profit, Adjusted basic EPS, net cash/(debt) excluding lease liabilities and cash conversion are Alternative
Performance Measures (APMs) and not IFRS measures. See unaudited Appendix 1 and this Financial Review for an explanation of APMs and adjusting items, including a reconciliation
to statutory information.
2 The Group reports only one adjusted item: Individually Significant Items (which includes the £11.4m profit on disposal of Fox Crypto and £9.5m of fundamental re-organisation, strategic
review of Escode and strategic review of Cyber costs). For further details, please refer to unaudited Appendix 1 and this Financial Review, which includes an explanation of APMs and
adjusting items, along with a reconciliation to statutory information. The gain on disposal of Fox Crypto was non-taxable.
NCC Group plc — Annual report and accounts for the year ended 30 September 202554

Year ended
30 September
2025
£m
16 month
period ended
30 September
2024
£m
Cash and cash equivalents 16.4 29.8
Bank overdraft — (13.6)
Borrowings (net of deferred issue costs) – continuing operations (3.3) (61.5)
Net cash/(debt) excluding lease liabilities
1
13.1 (45.3)
Lease liabilities (19.5) (27.6)
Net debt
1
(6.4) (72.9)
Net cash/(debt), excluding lease liabilities, for discontinued and continuing operations is presented below:
Year ended
30September
2025
£m
16 month
period ended
30 September
2024
£m
Net cash/(debt) excluding lease liabilities
1
– continuing operations 9.2 (47. 3)
Net cash excluding lease liabilities
1
– discontinuing operations 3.9 2.0
Net cash/(debt) excluding lease liabilities
1
13.1 (45.3)
Net debt
1
can be reconciled as follows:
Reconciliation of net change in cash and cash equivalents to movement in net debt
1
:
Year ended
30 September
2025
£m
16 month
period ended
30 September
2024
£m
Net decrease in cash and cash equivalents (inc. bank overdraft) (1.0) (18.4)
Change in net debt
1
resulting from cash flows (net of deferred issue costs) 59.2 17.2
Release of deferred issue costs (0.5) (0.6)
Issue costs related to borrowings (non-cash) 0.3 —
Effect of foreign currency on cash flows 1.2 2.3
Foreign currency translation differences on borrowings (0.8) 3.8
Change in net debt
1
during the year/period 58.4 4.3
Net debt
1
at start of period excluding lease liabilities (45.3) (49.6)
Net cash/(debt)
1
at end of period excluding lease liabilities 13.1 (45.3)
Lease liabilities (19.5) (27.6)
Net debt
1
at end of year/period (6.4) (72.9)
1 Net cash/(debt) and Net cash/(debt) excluding lease liabilities are Alternative Performance Measures (APMs) and not IFRS measures. See unaudited Appendix 1 and this Financial Review
for an explanation of APMs and adjusting items, including a reconciliation to statutory information.
The reduction in net debt is predominantly driven by the completion of the Fox Crypto disposal in March 2025, where the Group received sale
proceeds (net of cash disposed of) of £61.4m. This amount has been utilised to reduce the Group’s borrowings during the year.
Strategic report
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 55

Financial review continued
Reconciliation of net debt
1
continued
The calculation of the cash conversion ratio
1
is set out below:
Year ended
30 September
2025
£m
Year ended
30 September
2024
£m
16 month
period ended
30 September
2024
£m
Operating cash flow before interest and taxation 39.9 48.0 38.4
Adjusted EBITDA
1,2
43.7 49.7 51.6
Cash conversion ratio
1,2
(%) 91.3% 96.6% 74.4%
1 Revenue at constant currency, Adjusted EBITDA, Adjusted operating profit, Adjusted basic EPS, net cash/(debt) excluding lease liabilities and cash conversion are Alternative
Performance Measures (APMs) and not IFRS measures. See unaudited Appendix 1 and this Financial Review for an explanation of APMs and adjusting items, including a reconciliation
to statutory information.
2 The Group reports only one adjusted item: Individually Significant Items (which includes the £11.4m profit on disposal of Fox Crypto and £9.5m of fundamental re-organisation, strategic
review of Escode and strategic review of Cyber costs). For further details, please refer to unaudited Appendix 1 and this Financial Review, which includes an explanation of APMs and
adjusting items, along with a reconciliation to statutory information.
Cash conversion has improved by 16.9% pts to 91.3% as at 30 September 2025 (when compared to the previous audited period), primarily driven
by stronger performance in the second half of the year and favourable movements in the Group’s working capital, reflecting improved collectability.
For reference, cash conversion was 62.3% in H1 2025 and 119.4% in H2 2025.
Cash capital expenditure during the period was £5.1m (2024: £8.8m), which includes tangible asset expenditure of £4.7m (2024: £6.2m) and
capitalised software and development costs of £0.4m (2024: £2.6m). Following the opening of our new Fox-IT office in October 2025, the Group
incurred £1.6m of tangible capital expenditure during the year to fit out the premises and make the office operational.
During the year, the Company acquired treasury shares (4,000,000 ordinary shares) for £5.8m, this follows shares (4,000,000 ordinary shares)
purchased in the prior period 2024 for £5.8m. The shares are held in the EBT, which is a discretionary trust for the benefit of the Group’s colleagues.
The shares will be used to satisfy the future vesting requirements of share plans the Company operates under the Long Term Incentive Plan, the
Restricted Share Plan and other discretionary share plans. Following this purchase, and as at 30 September 2025, the EBT holds a total of
8,485,195 ordinary shares (2024: 5,158,090), equating to 2.69% of the Company’s issued share capital.
As announced on 21 October 2025, the Board will commence an initial share buy-back programme in December 2025/January 2026. This will
becarried out under our existing shareholder authority and in line with our capital allocation policy, as well as all relevant legal and regulatory
requirements. Our current dividend policy will remain unchanged by the share buy-back programme.
Dividends
During the year, total dividends of £9.2m were recognised and paid (2024: £14.5m). In addition, the interim dividend of £9.8m for the period ended
30 September 2024 (3.15p per share) was recognised in the prior period and paid during the year on 1 October 2024.
The Board is proposing a final dividend of 3.15p per ordinary share for the year ended 30 September 2025, as it remains mindful of the continued
need to invest in the Group’s strategy, marking 20 consecutive years of dividend payments for shareholders.
The final dividend of 3.15p per ordinary share, which, together with the interim dividends of 1.50p and 1.50p per ordinary share paid on 4 April 2025
and 1 August 2025 respectively, makes a total dividend of 6.15p for the year ended 30 September 2025.
The final dividend will be paid on 10 April 2026, subject to approval at the AGM on 3 March 2026, to shareholders on the register at the close of
business on 13 March 2026. The ex-dividend date is 12 March 2026. The dividend has not been included as a liability as at 30 September 2025.
The payment of this dividend will not have any tax consequences for the Group.
NCC Group plc — Annual report and accounts for the year ended 30 September 202556

Our FY26 framework
Looking forward to FY26, we will measure ourselves against the
following goals:
Sustainable revenue growth
•
Deliver underlying growth in Cyber Security
•
Deliver return on sales investment in Cyber Security
•
Drive C&I and MS as a proportion of revenue
•
Maintain momentum in Escode
Improved gross margin
•
Increase Cyber utilisation from 70% to 75%
•
Data driven pricing and margin investment decision making
•
Drive enhanced benefits from globalised technical resource footprint
Efficiency for growth
•
Simplify operating model in Cyber and Escode to generate efficiencies
•
Drive consistent profit conversion in every market
Capital deployment supporting growth
•
Strong cash conversion
•
Sustain appropriate liquidity and debt facilities
•
Execute share buy-back programme
•
Dividend policy
Guy Ellis
Chief Financial Officer
11 December 2025
Strategic report
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 57

Chair’s introduction to governance
Governance standards
The Board is committed to high standards of corporate governance and
is pleased to confirm that throughout the year ended 30 September 2025,
the Company complied with all relevant provisions of the UK Corporate
Governance Code other than the fact that we have not undertaken a
formal Board and Committee evaluation (the reasons why are set out
below). A key focus of the Code is culture and ensuring it aligns with the
Group’s purpose, strategy and values. Culture has been high on the
Board’s agenda for a long time and the Board considers culture to be
an essential ingredient in meeting our long-term, sustainable returns
toall stakeholders.
The Board, the Executive Committee and senior management continue
to promote our culture and standards throughout the business and lead
by example to provide a strong corporate governance framework.
One of the most significant parts of the Code affecting NCC Group is in
respect of workforce engagement. Our main stakeholder is our colleagues
and we continue to maintain meaningful mechanisms to ensure that we,
as a Board, have constructive and regular dialogue with our dedicated
and committed workforce. This then puts us in a strong position to
deliver our strategy.
During the year, Julie Chakraverty, Senior Independent Director and
designated Non-Executive Director for workforce engagement, has
been continuing to reach out to colleagues across the business. As a
people business, insights from our colleagues are invaluable; therefore,
colleague engagement is a crucial area for us to continue to focus on
and continue to get right. We have not let distance or differing time
zones be a barrier to hearing our colleagues’ opinions around the
Board table.
Our approach
The Directors have acted in a way they consider, in good faith, to be
most likely to promote the long-term success of the Company. Our role as
the Board is to set the strategy of the Group and ensure that management
operates the business in accordance with our priorities. We believe this
approach will promote the Group’s long-term success and our customers’
interests as well as creating value for shareholders and having regard
toour other key stakeholders such as our colleagues.
The Board’s intention is to hand over the business to our successors in
a better and more sustainable position for the future. We recognise the
continued focus on the contribution that a successful company can
make to wider society in general, in addition to generating value for
shareholders, and as a Board we want to ensure that we have effective
engagement with, and encourage participation from, shareholders and
other stakeholders. The Board acknowledges that there are competing
priorities for different stakeholders but strives to balance the priorities,
while ensuring decisions made are in the best interests of the Company.
Board composition and diversity
The biographies of all the Board members can be found on pages 62
and 63. There have been no changes to the Board during the year. With
regard to our current diversity, I am satisfied that we have an appropriately
diverse Board in terms of experience, skills and personal attributes among
our Board members. The Directors have many years of experience
gained across a variety of industries and sectors, ensuring a mix of
views and providing a broad perspective.
Dear Shareholder
On behalf of the Board, I am pleased to present the Corporate Governance
Report for the year ended 30 September 2025. Throughout the year
the Board has worked cohesively as a team and Iwould like to thank
each Director for their wise counsel and continued efforts during this
time. The Board is composed of highly skilled and experienced Directors
from a diverse range of industries and backgrounds, all of whom contribute
towards the long-term success of the Company and show commitment
and enthusiasm in the performance of their roles and duties.
I would like to thank all of my Board colleagues for their commitment,
support and flexibility over the past year. We now meet as a Board
predominantly face to face, but we still use virtual meetings for shorter
update meetings or when we need to meet at short notice. This continued
hybrid way of working has enabled us to maintain strong governance
and robust decision making, delivering against our strategy. We had
theopportunity during the year tohold a number of Board dinners
either the night before or following Board meetings. This informal time
together as a Board, which often has other colleagues from across the
business in attendance, allows usto talk matters through and also
fosters a culture of team and togetherness away from the more formal
setting of theboardroom.
The Board is committed to creating and maintaining a culture where
strong levels of governance thrive throughout the organisation, specifically
ensuring that we send out consistent messages on our values and
principles for our colleagues, our customers, our suppliers and
ouradvisers.
Chris Stone
Non-Executive Chair
NCC Group plc — Annual report and accounts for the year ended 30 September 202558

We recognise that we still have some progress to make in terms of
improving the diversity of the Board and our executive team (and
indeed our workforce as a whole). During the year ended 31 May 2021,
we made the firm commitment that by 2024, we will have at least 33%
female representation on our Board and at least one person of colour.
We have now delivered on our commitment and are also on course to
meet the FTSE Women Leaders Review and Listing Rules target of 40%
female representation by the end of 2025. Although this is best practice
for FTSE 350 companies, we have committed to this target regardless
of which share index we are in. Our Board now has 43% female
representation (three out of seven) and we will look to improve this
further still during any future appointments to the Board.
Improvements in diversity are often not a quick process but we are very
mindful of the need to take positive action, and the matter continues to
remain high on our agenda, as can be seen with the progress we have
made over recent years. Accessing the candidates we require to reach
this target will involve us looking beyond the obvious pool of existing
board directors within the UK and we intend to ensure that we extend
our talent search to other sectors and countries enabling us to find a
diverse pool of candidates from which to choose to provide us with true
diversity around our Board table.
To confirm, as at 30 September 2025, we complied with the following:
•
At least 40% of the individuals on our Board of Directors are women.
•
At least one of the senior positions on our Board of Directors is held
by a woman (our Senior Independent Director).
•
At least one individual on our Board of Directors is from a minority
ethnic background.
Effectiveness
As Chair, I am responsible for providing leadership to ensure that
theBoard operates effectively. I have been supported in this by all
theDirectors, but in particular our Senior Independent Director
(JulieChakraverty).
The annual reviews of Board effectiveness help the Board to consider
how it operates and how its operations can be improved. This year, we
have not undertaken a formal review of the Board and its Committees.
Building on our inaugural externally facilitated Board evaluation in
2023,we undertook a comprehensive internally facilitated Board and
Committee evaluation in 2024, where we took significant time to discuss
the output and agree actions in January 2025. We felt that we wanted
further time to embed the actions from previous evaluations into how
we operate and work together as a Board and felt that pausing the
formal review process for a year was a sensible course of action. In
addition, a significant amount of Board time and focus was taken up by
anumber of strategic considerations, as well as being in an “offer period”
since mid-July 2025. We concluded that undertaking a Board and
Committee evaluation process at this time would not be appropriate,
given the significant level of activity currently underway. In reaching this
decision, the Board considered the importance of maintaining focus on
critical strategic and operational priorities during a period of heightened
activity. While evaluations are an integral component of good governance
and support continuous improvement, the timing of such a process must
ensure that it adds value rather than creating unnecessary burden or
distraction. The Board remains committed to undertaking a comprehensive
evaluation when circumstances allow, in line with best practice. Our
intention is for our next review to be externally facilitated and we will look
to undertake this during 2026. As a reminder, Board succession planning
remains a priority, particularly as we look to ensure the Board and
Executive Committee have the right set of skills and experience to
support the Group as the businessevolves.
Governance
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 59

Chair’s introduction to governance continued
Board tenure as at 30 September 2025
2017 2018 2019 2020 2021 2022 2024 20252023
30 September:
Our investors
We are in regular contact with our large investors through a scheduled
programme of meetings attended by our CEO, CFO and Chair. Julie
Chakraverty (Senior Independent Director), Lynn Fordham (Audit
Committee Chair) and Jennifer Duvalier (Remuneration Committee Chair)
are also available to meet with investors should the need arise. In May 2025,
we hosted an immersive experience to help our shareholders and analysts,
along with other industry professionals from insurance brokers and
financial services, to understand how we would help clients respond to
cyber incidents. Particular highlights during the year were NCC Group
winning the IR Society award for “Best IR Programme 2024 (Small Cap)”,
and also being shortlisted for the IR Society award for “Best Communication
of Sustainability 2024 (Small Cap)”.
I continue to meet with our larger investors and report my findings
toBoard colleagues. Investor engagement has remained a priority
throughout the year and has been conducted in full compliance with
Offer Period regulations. In addition, our brokers have undertaken investor
surveys following the half-year results, and the findings were presented
and discussed at a Board meeting. Our objective is to maintain open,
transparent, and meaningful dialogue with our shareholders.
Ensuring that the Directors’ remuneration packages align the Directors’
and senior managers’ interests with the long-term interests of NCC
Group and its shareholders is always a key area of interest for investors.
The 2024 Directors’ Remuneration Policy received 89.61% of votes in
favour at the 2025 AGM, and it was pleasing that our 2024 Directors’
Remuneration Report received 80.33% of votes in favour, recognising
the continued appreciated support of our shareholders for our
approach to executive remuneration.
Statement of compliance with the UK Corporate
Governance Code
The Company measures itself against the requirements of the UK
Corporate Governance Code 2018 (the “Code”), which is available
onthe Financial Reporting Council website (www.frc.org.uk).
I can confirm that the Board has applied the principles and complied
with the provisions of the UK Corporate Governance Code 2018
throughout the year to 30 September 2025 other than the fact that
wehave not undertaken a formal Board and Committee evaluation
forthe reasons explained earlier.
Thank you
We are immensely proud of our colleagues for their continuing
extraordinary efforts, always acting in the best interests of our customers
and our stakeholders. I would like to thank all our colleagues for their
incredible contribution in stepping up and meeting the challenges that
the Group has faced over the past year.
Chris Stone
Non-Executive Chair
11 December 2025
Mike Maddison
Guy Ellis
Chris Stone
Lynn Fordham
Julie Chakraverty
Jennifer Duvalier
Mike Ettling
8 years 6 months
3 years 3 months
2 years 3 months
3 years 9 months
7 years 5 months
8 years 0 months
3 years 1 month
NCC Group plc — Annual report and accounts for the year ended 30 September 202560

Governance framework
The different parts of the Company’s governance framework are shown below,
withadescription of how they operate and the linkages between them.
Currently comprises the Group’s most senior business and operational Executives.
It is responsible for assisting the Chief Executive Officer in the performance of its duties including:
•
Developing the budget
•
Monitoring the performance of the different divisions of
the Company against the plan
•
Carrying out a formal risk review process
•
Reviewing the Company’s policies and procedures
•
Prioritisation and allocation of resources
•
Overseeing the day-to-day running of the Company
•
Being responsible for people, talent and culture
Provides leadership and is responsible for the overall management of NCC Group, and its strategy, long-term objectives and risk management.
It ensures the right Company structure isin place to deliver long-term value to shareholders and other stakeholders.
Has responsibility for managing the business and overseeing the implementation of the strategy agreed by the Board.
Support the Board in its work with specific areas of review and oversight objectives and risk management.
They ensure the right Company structure is in place to deliver long-term value to shareholders and other stakeholders.
Board
(The Board has collective responsibility to promote the long-term sustainable success of the Group,
ensuringdueregardispaidtotheinterests of its stakeholders.)
Board Committees
(The Board oversees the Group’s operations through a unitary Board and four principal Committees, being Audit, Nomination,
Remuneration and Cyber Security. The terms of reference for these Committees can be found on our website. Further information
onthework of these Committees can be found in later sections of this Annual Report and Accounts.)
Executive Committee (“ExCom”)
Chief Executive Officer
(Manages the day-to-day operations of the Group, prioritising and allocating resources.
The CEO is supported by the Executive Committee.)
Primary function is to assist the
Board in fulfilling its financial and
risk responsibilities. It also reviews
financial reporting, the internal
controls in place and the external
audit process.
Responsible for considering the
Board’s structure, size, composition,
diversity and succession planning.
Responsible for overseeing and
advising on the Group’s exposure to
cyber risk, its future cyber risk
strategy, its Cyber Security breach
response, its crisis management
plan and the review of reports on
any Cyber Security incidents.
Responsible for determining
theoverall remuneration of
theExecutive Directors and
theremuneration of senior
managers (ExCom) within the
broader institutional context
ofremunerationpractice.
Audit
Committee
Nomination
Committee
Cyber Security
Committee
Remuneration
Committee
Read more
on pages71 to 76
Read more
on pages77 and 78
Read more
on pages79 and 80
Read more
on pages81 to 93
For further details on Board composition and division of responsibilities, see pages64 to 69
Governance
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 61

Board of Directors
Our business is led by
our Board ofDirectors
Biographical and other details of the Directors are as follows:
During the year a number of Directors took on additional appointments outside of their role
with NCC Group. The Board considered these appointments and concluded that these
appointments did not conflict with NCC Group, and the Director would have sufficient time to
devote to NCC Group following the additional appointments, and that theappointments did
not result in the Directors concerned being“overboarded”.
View our Executive Committee:
nccgroupplc.com/our-board-executive-committee/
Other Directors during the year
No other Directors served on the Board during the year.
Chris Stone
Non-Executive Chair
Mike Maddison
Chief Executive Officer
Guy Ellis
Chief Financial Officer
N C
Appointment to the Board
6 April 2017
Career experience
Chris has held various Non-Executive Director
and Chief Executive roles at listed and private
equity backed technology companies. He was
CEO of Northgate Information Solutions plc
from 1999 to 2008, until its sale, and stayed
as CEO until 2011. From 2013 to 2016, he
was CEO of Radius Worldwide. Chris was
alsoa Non-Executive Director of CSR plc,
andChair of the Remuneration Committee,
from 2012 until its sale in 2015. Chris was
alsoChair of AIM listed CityFibre plc from
January2017 until June 2018, when it was
sold to private equity buyers. Chris has also
been Chair of Everynet B.V., a privately owned
Internet of Things infrastructure business.
External appointments
Chris is currently Chair of AIM listed Idox plc.
Appointment to the Board
7 July 2022
Career experience
Mike served as Head of EY’s Cyber Security,
privacy and trusted technology practice for
EMEA from 2017, achieving sustained growth
across 97 countries and strengthening EY’s
standing as a leading adviser in the field. Prior
to this, he led PwC’s risk services practice
inthe Middle East, following a decade as
Head of Deloitte’s EMEA Cyber Security
consultancy, where he also delivered
substantial growth.
External appointments
Mike does not currently have any
externalappointments.
Appointment to the Board
30 June 2023
Career experience
Guy joined NCC Group in 2021, as Director
ofCommercial Finance as well as serving as
Interim Managing Director of our Escode
business, and most recently as Interim
Managing Director of our UK Cyber Security
business.
Guy has over 25 years’ experience in finance
and commercial roles in the retail sector for
brands including Asda and Specsavers. This
experience and the recent interim roles in
NCC Group have given him a breadth of
understanding of the commercial drivers
andoperations across the whole business.
External appointments
Guy does not currently have any
externalappointments.
NCC Group plc — Annual report and accounts for the year ended 30 September 202562

Committee key:
A
Member of
Audit Committee
C
Member of
CyberSecurity
Committee
N
Member of
Nomination Committee
R
Member of
Remuneration
Committee
Committee Chair
Julie Chakraverty
Senior Independent
Non-Executive Director
(anddesignated
Non-ExecutiveDirector for
workforceengagement)
Jennifer Duvalier
Independent
Non-Executive Director
Mike Ettling
Independent
Non-Executive Director
Lynn Fordham
Independent Non-Executive
Director (and lead Non-Executive
Director forSustainability)
A C N R C N R A A C N R
Appointment to the Board
1 January 2022
Career experience
Julie has a wealth of plc board
experience, formerly serving as a
Non-Executive Director on the
boards of Santander UK and
Abrdn plc (formerly Standard
LifeAberdeen plc, having been
Senior Independent Director and
Chair of the Risk and Innovation
Committees for Aberdeen Asset
Management plc prior to
merging). She has also been
Chair of the Remuneration
Committee for the global insurer
MS Amlin plc, a Non-Executive
Director for Spirit Pub Company
Limited and a Trustee for The
Girls’ Day School Trust. During
her executive career, Julie
wasaboard member of UBS
Investment Bank, where she held
a number of global leadership
positions and won industry
awards for innovation every
yearfrom 2001–2009 for her
“CreditDelta” technology
product. Julie was also a Director
and founder of Rungway Limited,
an employee engagement
platform used by leading
globalfirms.
External appointments
Julie is currently an Independent
Non-Executive Director of
easyJet plc, AJ Bell plc and
Starling Bank Limited.
Appointment to the Board
25 April 2018
Career experience
Jennifer was Executive Vice
President of People at ARM
Holdings plc, with responsibility
for all people and internal
communications activity globally,
from September 2013 to
March2017.
External appointments
Jennifer is currently the Senior
Independent Director of Trainline
plc (where she is also a member
of the Audit and Risk, Nomination
and Remuneration Committees)
and an Independent Non-Executive
Director and Chair of the
Remuneration Committee of
MitieGroup plc (as well as being
a member of its Nomination
Committee she is also the
designated Non-Executive Director
for colleague engagement at
bothcompanies). She is also
aNon-Executive Director of
TheCranemere Group Ltd and
aTrustee of Somerset House
(aUK-based charity), an adviser
to New York Presbyterian hospitals
group in the US, and an external
adviser to the People and
Remuneration Committee of
theWellcome Trust.
Appointment to the Board
22 September 2017
Career experience
Mike has strong sector and
non-executive experience. He
has had an extensive career in
global technology businesses
including Unit4, SAP-
Sucessfactors, NorthgateArinso,
Unisys, Synstar and EDS and
was formerly a Non-Executive
Director of Backoffice Associates
LLC, a US PE backed data
business, and also formerly a
Non-Executive Director of Telkom
BCX Ltd, a South African IT and
telecommunications business.
Mike has also served as a
Non-Executive Director with
Topia Inc, a Silicon Valley cloud
relocation software business. He
has also served as a Non-Executive
Director of Impellam plc, an AIM
listed recruitmentbusiness.
External appointments
Mike is currently an Operating
Partner at Advent International
and Chair of Syspro Ltd, andisalso
an Independent Non-Executive
Director of Optima Health Plc.
Appointment to the Board
1 September 2022
Career experience
Lynn, a Chartered Accountant, was
most recently Managing Partner of
private investment firm Larchpoint
Capital LLP, a position she held
from 2017 to 2021. Prior to joining
Larchpoint, Lynn was CEO of
SVGCapital for eight years, having
previously served as CFO. Before
that she held senior finance, risk
and strategy positions at Barratt
Developments, BAA, Boots, ED&F
Man, BAT and Mobil Oil. She also
served as a Non-Executive Director
on the board of Fuller, Smith &
Turner for seven years until 2018,
chairing its Audit Committee. Lynn
was also a supervisory board
member of VARO Energy B.V.
External appointments
Lynn is currently Chair and
amember of the Nomination
Committee of NewRiver REIT plc
and Pollen Street Group Limited.
She serves as a Non-Executive
Director and Chair of the Finance,
Risk and Audit Committees at
Enfinium Group Limited (private).
From 17 September 2025, Lynn
isalso a Special Adviser to the
Board of Domino’s Pizza Group,
having stepped down from the
Board as the Senior Independent
Director at the same date.
Lynnadditionally chairs RMA
– The Royal Marines Charity.
Governance
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 63

Board composition and division of responsibilities
The Board has agreed a clear division of responsibilities with the responsibilities of the Chair, Chief Executive Officer, Chief Financial Officer, Senior
Independent Director and other Directors clearly defined so that no individual has unrestricted powers of decision and no small group of Directors
can dominate the Board’s decision making.
Role Responsibilities
Chair of the Board
(Chris Stone)
Is responsible for the running and leadership of the Board, setting its agenda and ensuring its effectiveness
inallaspects of its role, and promoting a culture of openness, debate and the highest standards of corporate
governance. The Chair, in conjunction with the CEO and other Board members, plans the agendas, which are
issued with the supporting Board papers in advance of the Board meetings. These supporting papers provide
appropriate information to enable the Board to discharge its duties, which include monitoring, assessing and
challenging the executive management of the Group.
Chief Executive Officer
(Mike Maddison)
Together with the senior management team (ExCom), is responsible for the day-to-day running of the Group’s
business, implementing the strategy and policies approved by the Board, and regularly providing performance
reports to the Board. The role of CEO is separate from that of the Chair to ensure that no one individual has
unfettered powers of decision.
Chief Financial Officer
(Guy Ellis)
Works closely with the CEO with specific responsibility for all financial matters, including Group accounting
policies, financial control, tax and treasury management, risk management and financial probity. The CFO is
alsoaccountable for the transparency and appropriateness of management information and key performance
indicators, internally and externally.
Senior Independent
Director
(JulieChakraverty)
Provides a sounding board for the Chair and serves as an intermediary for other Directors, colleagues and
shareholders when necessary. The main responsibility is to be available to the shareholders should they have
concerns that they have been unable to resolve through normal channels or when such channels would
beinappropriate.
Non-Executive Directors
(Jennifer Duvalier,
MikeEttling and
LynnFordham)
Bring experience and independent judgement to the Board. Maintain an ongoing dialogue with the Executive
Directors, which includes constructive challenge of performance and the Group’s strategy.
Designated
Non-Executive Director
forengagement with
theworkforce
(JulieChakraverty)
Leads on Board engagement with the workforce (please see separate section on page 14).
Company Secretary
(Jonathan Williams)
Ensures good information flows within the Board and its Committees and between senior management and
Non-Executive Directors. The Company Secretary is responsible for facilitating the induction of new Directors and
assisting with their professional development as required. All Directors have access to the advice and services of
the Company Secretary to enable them to discharge their duties as Directors. The Company Secretary is responsible
for ensuring that Board procedures are complied with and for advising the Board via the Chair on governance
matters. The appointment and removal of the Company Secretary is a matter for the Board as a whole.
Gender identity or sex as at 30 September 2025
No. of Board
members
% of
the Board
No. of senior positions on the
Board (CEO, CFO, SID, Chair)
No. in executive
management (ExCom)
% of
executive management
Men 4 57% 3 5 71%
Women 3 43% 1 2 29%
Not specified/prefer not to say — — — — —
Ethnic background as at 30 September 2025
No. of Board
members
% of
the Board
No. of senior positions on the
Board (CEO, CFO, SID, Chair)
No. in executive
management (ExCom)
% of
executive management
White British or other White
(includingminority White groups) 5 72% 3 6 86%
Mixed/multiple ethnic groups — — — — —
Asian/Asian British 1 14% 1 1 14%
Black/African/Caribbean/Black British — — — — —
Other ethnic group, including Arab — — — — —
Not specified/prefer not to say 1 14% — — —
NCC Group plc — Annual report and accounts for the year ended 30 September 202564

Meetings and attendance
The Board considers that each Director is able to allocate sufficient time to the Company to discharge their responsibilities effectively. The Non-Executive
Directors are contracted to spend a minimum of 24 days per annum on the Group’s affairs, and the Chair 60 days.
A summary of each current Director’s attendance at meetings that they were eligible to attend of the Board and its Committees during the financial
year ended 30 September 2025 is shown below. Unless otherwise indicated, all Directors held office throughout the year.
For the avoidance of doubt, no concerns have been raised about the attendance record of any Directors, nor their continued commitment to their
work and NCC Group.
Board Audit Nomination Cyber Security Remuneration
Chris Stone
8 9
1
N/A
1 1
*
1 1
N/A
Mike Maddison
9 9
N/A N/A N/A N/A
Guy Ellis
9 9
N/A N/A N/A N/A
Lynn Fordham
9 9 4 4
*
1 1 1 1 5 5
Julie Chakraverty
9 9 3 4
2
1 1 1 1
*
4 5
2
Jennifer Duvalier
9 9
N/A
1 1 1 1 5 5
*
Mike Ettling
9 9 4 4
N/A N/A N/A
At all times, all of the Board and Committee meetings remained quorate.
Meetings attended
Possible meetings
* Committee Chair
N/A Director is not required to attend the meeting, but may have attended by invitation.
1 Was unable to make one meeting due to an important personal matter that could not be rearranged.
2 Unable to make one Committee meeting because of a pre-existing business commitment (scheduled before NCC Group set its Board and Committee meeting dates) that could not
berearranged.
What principal decisions have been made and what have we looked at as a Board during 2024/25?
Section 172 statement
Section 172 of the Companies Act 2006 requires a director of a company to act in the way they consider, in good faith, would most likely promote
the success of the company for the benefit of its members as a whole, but having regard to a range of factors set out in section 172(1)(a)–(f) of the
Companies Act 2006. In discharging our section 172 duty, we have regard for these factors, taking them into consideration when decisions
aremade.
The Board understands the importance of stakeholder engagement and, through regular updates from the Executive Directors and other senior
managers, it has provided challenge and oversight throughout the year. The Company’s stakeholders are set out on pages 14 and 15, with an
overview of how we engage with them, how they relate to our strategy and highlights from the previous year.
Principal decisions made during the year
Throughout this Annual Report, we have provided examples of how we have thought about the likely consequences of long-term decisions and
detailed below is how the Board considered stakeholders, and the information we received through engagement, in a number of its key decisions
in2024/25.
When making each decision, the Board carefully considered how it impacted on the success of the Group and its long-term (financial and
non-financial) impact and had due regard to the other matters set out in section 172(1)(a)–(f) of the Companies Act 2006.
The below should be read in conjunction with our Stakeholder Engagement section on pages 14 and 15, along with other sections of the Annual
Report where appropriate.
Topic Stakeholder group Decision taken Engagement process Reference
Approving a new
four year £120m
multi-currency
revolving
creditfacility
Colleagues,
shareholders,
clients, suppliers
During the year, the decision was
taken to approve a new four year
£120m multi-currency revolving
credit facility (RCF), with a £50m
uncommitted accordion option,
provided by a syndicate of four banks.
The new RCF facility will expire on
28April 2029 and replaces the
Group’s previous RCF, which had an
expiry date of 22 December2026.
We communicated the new RCF
viaan RNS announcement.
The new RCF will provide our
stakeholders with the reassurance
that NCC Group has appropriate and
sufficient financial facilities through
to April 2029, along with the financial
flexibility and means to pursue its
strategy both now and in the
comingyears.
Strategic Report
onpage 38
Governance
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 65

What have we looked at as a Board during 2024/25?
At every meeting the Board reviews the minutes from the previous
meeting and the status of any outstanding actions. Colleague engagement
is a standing agenda item presented by Julie Chakraverty as our
designated Non-Executive Director for workforce engagement. The
CEO and CFO present their monthly performance update reports,
which are also circulated to Board members in months where there
isno scheduled Board meeting.
The Board has also reviewed the following during 2024/25:
Leadership and colleagues
•
Received an update on colleague engagement and the results of the
annual colleague engagement survey, and any questions colleagues
have raised on executive remuneration and how this aligns with the
wider Company pay policy
•
Continued with the colleague engagement programme, led by an
appointed designated Non-Executive Director, with an update to the
Board at every Board meeting
•
Been updated on senior management changes to the
ExecutiveCommittee
•
Spent time with the new Chief Commercial Officer, and the newly
promoted Chief People Officer
•
Spent informal time with wider colleagues during Board meetings
and visits held at our offices
Strategy
•
Continued to be kept informed of progress with the Group’s strategy
•
Held a dedicated strategy session
•
Discussed the strategy session and the key points arising out of it,
along with regular check-ins on progress against strategy
•
Had a number of post-acquisition reviews of acquisitions that the
Group had made over the past few years
•
Kept updated on the progress of a non-core disposal in the
Netherlands (the Fox Crypto business)
Governance
•
Continued with the colleague engagement programme, with an
appointed designated NED leading the Board’s engagement activities
•
Considered and approved a number of amendments to the Group’s
delegated authority/authorised signatory matrix
•
Discussed and approved the Group’s Modern Slavery Statement
•
Received reports on any material litigation and colleague litigation
issues affecting the Group
•
Reviewed and approved a number of country risk assessments for
work in certain countries
•
Held a dedicated Enterprise Risk Management (ERM) Board
workshop facilitated by the Director of Global Governance and
Global Head of Risk and Assurance
•
Introduced new standing Board agenda item of having a “meeting
reflections” session at the end of each Board meeting to play back
what had been discussed at the meeting, and suggest topics for
future Board meetings
Financial
•
Reviewed and approved the Annual Report and Accounts, ensuring
that it is fair, balanced and understandable
•
Discussed and approved the full-year and half-year results and
associated presentations to investors
•
Approved the interim and final dividends, and discussed the
dividendpolicy
•
Noted and approved the Group insurance cover renewal
•
Discussed and approved the 2025/26 budget
•
Considered and approved the market purchase of shares to fund
future discretionary share plan maturities
•
Received external presentations on shareholder perspectives on
theCompany, including receiving regular updates from investor
meetings and noting circular investor letters
•
Considered and approved the Group’s new refinancing arrangements
Other Group business
•
Kept updated on a number of strategic projects
•
Discussed a number of M&A opportunities
•
Approved a number of major customer contracts and bids
•
Had two presentations on NCC Group’s AI proposition and
serviceofferings
Independent advice
All Directors have access to the advice and services of the Company
Secretary and Directors are entitled to take independent professional
advice if necessary, at the expense of the Company.
Conflicts of interest
The Companies Act 2006 requires Directors to avoid situations where
they have, or could have, a direct or indirect interest that conflicts or
potentially conflicts with the interests of the Company. The Company’s
Articles of Association require any Director with a conflict or potential
conflict to declare this to the Board.
That Director will not then be involved in the discussions relating to the
proposal, transaction, contract or arrangement in which they have an
interest, unless agreed otherwise by the Directors of the Company in
the limited circumstance specified in the Articles of Association, nor will
they be counted in the quorum or be permitted to vote on any issue in
which they have an interest. Directors are required to inform the Board
without delay should they be aware of any actual or potential conflicts of
interest and a check on conflicts is undertaken each year with a report
to the Board.
Board composition and division of responsibilities continued
NCC Group plc — Annual report and accounts for the year ended 30 September 202566

Colleague engagement
Julie Chakraverty is the Board’s designated Non-Executive Director to
lead the Board’s colleague engagement programme and is committed
to understanding the views of our colleagues and ensuring they are
incorporated into the Board’s decision-making process.
In addition, there is also opportunity for colleagues to ask any questions
they have on executive remuneration and how this aligns with the wider
Company pay policy.
Prior to meeting with Julie at one of the engagement sessions,
colleagues are introduced to Julie via our internal social channels
where she explains her role through a video and written communications.
Julie has access to these channels to enable her to engage fully outside
of the formal events.
We were keen to build on the momentum generated in previous
yearsand Julie is sometimes joined by our Chair, Chris Stone, or other
Non-Executive Directors, to meet colleagues, all of whom are invited
from below the mid-management level and all parts of the business to
ensure diversity of thought. We ensure that no one has their line manager
in either the physical or the virtual room to ensure they can speak freely
and tell Julie what is on their mind.
Feedback from each session’s participants is shared anonymously
tothe Board and to our CEO. This enables action to be taken, further
strengthening the value of listening. Colleagues attending are invited to
give their feedback and, so far, results have been positive and valued.
Board independence
As required by the Code, at least 50% of the Board, excluding the
Chair, are Independent Non-Executive Directors. The Board comprises
two Executive Directors, four Independent Non-Executive Directors
and the Non-Executive Chair.
The Board has debated and considers that all of the current Non-
Executive Directors are independent, and in so doing considered the
profile of all of the individuals, concluding that none ofthem:
•
Have ever been a colleague of the Group
•
Have ever had a material business relationship with the Group or
receive any remuneration other than their salary or fees
•
Have close family ties with the advisers, other Directors or senior
management of the Group that could reasonably be expected to
cause a conflict
•
Hold cross-directorships or have significant links with other Directors
through involvement with other companies or bodies
•
Represent a significant shareholder
•
Have, at the point of this report, served on the Board for more than
nine years from the date of their first election
The Non-Executive Directors provide a strong independent element
onthe Board and are well placed to constructively challenge and help
develop proposals on strategy and succession planning. Between
them, they bring an extensive and broad range of experience to
theGroup.
Details of the Directors’ respective experience are set out in their
biographical profiles on pages 62 and 63.
The terms and conditions of appointment of Non-Executive Directors
are available for inspection at the Company’s registered office during
normal business hours.
Diversity
The principle of Board diversity (and indeed diversity across the
Group)is strongly supported by the Board. It is the Board’s policy
thatappointments to the Board will always be based on merit so that
the Board has the right balance of individuals in place. The Board
recognises that diversity of thought, approach and experience are
important considerations and it is therefore one of the selection criteria
used to assess candidates prior to any Board appointments.
The Company’s policy is to find, develop and maintain a diverse
workforce at all levels with an initial focus on developing a culture
wherewomen can achieve and retain senior positions.
Annual re-election
In accordance with the Code, any Directors appointed in the financial
year are subject to election by shareholders at the AGM and, in line with
best practice, all the other Directors are subject to re-electionannually.
Director induction, training and development
New Directors are provided with an induction on appointment, which
would include visits to the Group’s operations and meetings with
operational and executive management. Each Director’s induction is
tailored to their experience and background with the aim of enhancing
their understanding of the Group’s strategy, business, operating divisions,
colleagues, customers, suppliers and advisers, and the role of the
Board in setting the tone of our culture and governance standards.
The Company acknowledges the importance of developing the skills
ofthe Directors to run an effective Board. To assist in this, Directors
aregiven the opportunity to attend relevant courses and seminars to
acquire additional skills and experience to enhance their contribution to
the ongoing progress of the Group. All of the Directors attend sessions
which are aimed at updating the Board on trends and developments in
corporate governance.
Governance
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 67

Board and Committee effectiveness review
As described earlier, this year we have not undertaken a formal review of the Board and its Committees. Building on our inaugural externally
facilitated Board evaluation in 2023, we undertook a comprehensive internally facilitated Board and Committee evaluation in 2024, where we took
significant time to discuss the output and agree actions in January 2025. We felt that we wanted further time to embed the actions from previous
evaluations into how we operate and work together as a Boardand felt that pausing the formal review process for a year was a sensible course of
action. Our intention is for our next review to be externally facilitated and we will look to undertake this during the 2026 calendar year. As a reminder,
Board succession planning remains a priority, particularly as we look to ensure the Board and Executive Committee have the right set of skills and
experience to support the Group as the business evolves. As a reminder, a number of observations and recommendations were noted from
previous evaluations, which are detailed below.
Area Recommendation/observation
Board composition
•
Considering the next NED appointment and the skills and experience required to complement those already around
the Board table
Board agendas/
papers
•
Although it was felt that the Board papers had improved significantly, it was agreed that hearing further client
feedback in a more systematic manner, including information on sales pipelines and the external perspective,
wasimportant
•
A suggestion that more colleagues from NCC Group’s global operations could join Board meetings virtually and
present updates
•
A suggestion of a “reflections” session at the end of each Board meeting to play back what had been discussed
atthemeeting, and suggest topics for future Board meetings
•
Take papers as read – focus time on discussion and debate
•
More briefings and training on AI and cyber developments/emerging threats
Board meetings
•
Consideration should be given to the frequency and number of Board meetings, i.e. was there an opportunity to have
fewer meetings?
•
More white space (no agenda) time in Board meetings
•
Spend more time visiting other NCC Group offices
•
Ideally have one guest presenter/speaker at Board meetings
•
ExCom presenters at Board meetings to bring a guest from the next level down (or a more junior level) for experience
and exposure to the Board
Strategy
•
Consider and discuss strategy and risks together
•
Build on the excellent progress of the last few annual strategy days and continue to hold dedicated Board strategy
sessions, as well as check in on progress regularly
Succession
planning
•
Continue to focus on talent and ensuring the Board gets opportunities to meet colleagues within the business, both
within Board meetings and in more informal settings such as Board dinners
Stakeholder
management
•
An appreciation that investor relations had improved significantly over recent years and that it was important to
maintain this level of momentum and trajectory
•
Receive more external perspectives on how NCC Group is viewed, particularly by clients/prospective clients
Information flows
•
Keep focusing on timeliness of papers; although this had improved, it was important to maintain discipline around this
Committees
•
Audit Committee – ensure the Committee is briefed on key changes to accounting policies and Corporate
Governance Code developments
•
Remuneration Committee – spend time discussing remuneration perspectives beyond the UK, i.e. internationally in
the areas NCC Group competes for talent, along with new remuneration ideas that the Committee might consider in
the future
•
Remuneration Committee – spend time considering from a Committee perspective how effectively the wider pay and
benefits policy aligns with NCC Group’s strategy and talent agenda, and the implications of this for pay at the top of
the organisation
•
Nomination Committee – spend more time over the annual cycle exploring the development actions that are in
progress to actualise the potential of those on the succession plan to CEO/CFO and ExCom roles
•
Cyber Security Committee – make sure the education content on emerging trends, threats and opportunities
isafocus for the Committee
Board composition and division of responsibilities continued
NCC Group plc — Annual report and accounts for the year ended 30 September 202568

Operation of governance framework
Role of the Board
The Board is responsible for reviewing, challenging and approving the
strategic direction of the Group, while providing strong values-based
leadership of the Company, within a framework of prudent and effective
controls which enable risk to be assessed and appropriately managed.
The Board reviews the Group’s business model and strategic objectives
to ensure that the necessary financial and human resources are in
place to achieve these objectives, to sustain them over the long term
and to review management’s performance in their delivery.
The Board sets the tone of the Company’s values and ethical standards
and manages the business in a manner to meet its obligations to
shareholders and other stakeholders.
The Board receives information on at least a monthly basis to enable
itto review trading performance, forecasts and strategy and it has a
schedule of matters specifically reserved for its decision. The most
significant of these are:
•
Approval of strategic plans, the annual budget and any material
changes to them
•
Oversight of the Group’s operations, ensuring competent and
prudent management, sound planning and an adequate system
ofinternal control and governance
•
Through the Audit Committee, oversight of financial reporting systems
and information and adherence to appropriate accounting policies
•
Changes to the structure, size and composition of the Board and
Executive Committee, and oversight of the Company culture and
theethical standards of the leadership and the independence of
Non-Executive Directors, taking into consideration prudent
succession planning
•
Approval of the acquisition or disposal of subsidiaries and major
investments and capital projects
•
Approval of the dividend, treasury and banking policies, including
theGroup’s capital structure
•
Through the Remuneration Committee, the delivery of an effective
executive and senior management Remuneration Policy
•
Receiving reports on the views of shareholders and approval of all
documents put to shareholders at a general meeting or circulated
toshareholders
•
Approval of the appointment of key advisers
The Board has a schedule of specific matters reserved for its decision
where it feels they are critical to the ongoing success of the business
and are of a significant nature to merit the Board having such a decision
reserved to it. The Group also has a Group authority matrix (which
documents the levels of authority delegated from the Board to various
role holders within the Group). The schedule of matters reserved for
decision by the Board and the Group authority matrix are complementary
documents and are designed to ensure that decisions are either made
by the Board or delegated to an appropriate senior colleague within
theGroup.
As noted above, the operational management of the Group is delegated
to the Executive Committee. The Board also delegates other matters to
Board Committees and management as appropriate.
Risk management
The Board has ultimate responsibility for ensuring that business risks
are effectively managed. The Board has delegated regular review of
therisk management procedures to the Cyber Security Committee in
relation to cyber risks, and to the Audit Committee in relation to all other
risks. The Board reviews the overall risk environment on at least an
annual basis. The day-to-day management of business risks is the
responsibility of the Executive Committee (“ExCom”).
Internal control
The Group has a system of internal controls which aims to support
thedelivery of the Group’s strategy by managing the risk of failing
toachieve business objectives and to protect the stewardship of the
Group’s assets. As with all such systems, the goal is to manage risk
within acceptable parameters, rather than to eliminate risk entirely.
TheGroup can therefore only provide reasonable and not absolute
assurance that the business objectives and asset stewardship will
bedelivered successfully.
In addition, the Group insures against various risks, but certain risks
remain difficult to insure, due to the breadth and cost of cover. In some
cases, external insurance is not available at all, or at least not at an
economically viable price. The Group regularly reviews both the type
and amount of external insurance that it buys in conjunction with its
insurance brokers. For a more detailed review of risk management
processes, the principal risks faced by the Group and their mitigation,
see pages 29 to 37.
The Audit Committee is responsible for reviewing the effectiveness of
the risk management and internal control systems. The steps it takes in
relation to the review are set out on page 74.
The Audit Committee makes recommendations to the Board on the
effectiveness of risk management and internal controls, which the
Board considers, together with reports from the Cyber Security
Committee, in forming its own view on the effectiveness of the risk
management and internal control systems.
During the year ended 30 September 2025, the Board reviewed the
effectiveness of the Group’s risk management and internal control
systems together with internal control findings issued by our auditor. We
confirm that the processes outlined above and on page 74 have been in
place for the year under review and up to the date of this Annual Report
and Accounts, and that these processes accord with the UK Corporate
Governance Code and the FRC Guidance on Risk Management,
Internal Control and Related Financial and Business Reporting. While
we have had a number of improvements identified through our internal
audit reports issued throughout the year, management has agreed the
required actions and is working to close these down. We report on
these regularly to the Audit Committee and are working with local
management to continuously improve controls and processes across
the business.
Executive remuneration
During the year, we operated within the Remuneration Policy approved
by shareholders. Details of how the Remuneration Policy has been
applied during this financial year are set out on pages 81 to 93 of the
Remuneration Committee Report.
Governance
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 69

Shareholder engagement
Share capital structure
The Company’s issued share capital at 30 September 2025 consists
of315,006,079 ordinary shares of 1p each. There are no special control
rights or restrictions on share transfer or special rights pertaining to any
of the shares in issue and the Company does not havepreference shares.
As far as is reasonably known to the Board, the Company is not directly or
indirectly owned or controlled by another company or by any government.
Board engagement with shareholders
Communications with shareholders are given high priority. There is a
regular dialogue with institutional investors including presentations after
the Company’s year end and half-year results announcements.
A programme of meetings takes place throughout the year with major
institutional shareholders, and private shareholders have the opportunity
to meet the Board face to face and ask questions at theAGM.
We are in regular contact with our large investors through a regular
scheduled programme of meetings attended by either our CEO or CFO
or both of them. Julie Chakraverty, our Senior Independent Director,
and I are also available to meet with investors should the need arise. After
meeting our larger investors, I feed back my findings to Board colleagues
at the next Board meeting. In addition, our brokers undertake investor
surveys on the back of our half and full-year results and the results of
these were presented and discussed at Board meetings. Our aim is to
engage with our shareholders in an open and meaningful way. During
the financial year, the Directors held a number of meetings with
shareholders as set out below.
Board shareholder updates
Feedback from major institutional shareholders is provided to the Board
on a regular basis and, where appropriate, the Board takes steps to
address their concerns and recommendations.
Investor meetings
One-to-one meetings
157
Group meetings
40
Substantial shareholdings
As at 30 September 2025, the Company had been notified of the
following interests of 3% or more in the issued share capital of the
Company under the UK Disclosure and Transparency Rules:
Shareholder
Number of
ordinary
shares
% of
NCC Group’s
total share
capital
Aberforth Partners 40,057,799 12.72%
Richard Griffiths 32,671,10 6 10.37%
Odyssean Investment Trust 20,000,000 6.35%
BlackRock 18,312,987 5.81%
Vanguard Group 15,624,408 4.96%
Harwood Capital 15,362,500 4.88%
First Trust Advisors 15,299,695 4.86%
NFU Mutual 13,151, 52 9 4.18 %
Artemis Investment Management 10,888,638 3.46%
Kestrel Partners 9,932,261 3 .15%
Canaccord Wealth (Inst) 9,750,000 3.10%
Schroder Investment Management 9,471,825 3.01%
There were no changes to the above notified to the Company between
30 September 2025 and 11 December 2025.
Directors’ shareholdings
For details of Directors’ shareholdings, remuneration and interests in the
Company’s shares and options, together with information on service
contracts, see pages 81 to 93 of the Directors’ Remuneration Report.
AGM
The AGM is an opportunity for shareholders to vote on certain
aspectsof Group business and provides a useful forum for one-to-one
communication with private shareholders. At the AGM shareholders
receive presentations on the Company’s performance and may ask
questions of the Board. The Chair seeks to ensure that the Chairs of the
Audit, Remuneration, Nomination and Cyber Security Committees are
available at the meeting to answer questions and all Directors attend.
The Company prepares separate resolutions on each substantially
separate issue to be voted upon at the AGM. The result of the vote on
each resolution is published on the Company’s website after the AGM
and will be announced via the regulatory information service. At the
2025 AGM, shareholders representing over 65% of the Company’s
issued share capital returned their proxy votes.
On behalf of the Board
Chris Stone
Non-Executive Chair
11 December 2025
NCC Group plc — Annual report and accounts for the year ended 30 September 202570

Audit Committee report
In April 2025, the role of the Director of Global Governance was
extended to include Procurement and Estates. As a result, to ensure
independence from operational functions, the role of Chief Audit
Executive (CAE) transferred to the Head of Risk and Assurance.
Attendance during the year of individual Audit Committee members
isshown in the table on page 65.
Significant accounting areas and areas of significant
management judgement or estimation uncertainty
The table below summarises the significant accounting issues,
judgements and estimates considered by the Committee during the
year in relation to the Financial Statements. These are categorised
aseither recurring items the Committee regularly reviews or current
year focus areas. The table also indicates the level of judgement or
estimation applied to each item. Items with a “low” judgement level
typically have extensive independent third party evidence, while those
requiring “high” judgement rely more on management estimates and
historical trends than third party evidence.
Review items
Accounting
judgement?
Estimation
required?
Goodwill carrying value N/A High
Discontinued operations and
held-for-saleclassification Low N/A
Significant issues considered during the year in relation
to the Financial Statements
During the year, the Committee reviewed and considered the following
areas in respect of financial reporting and the preparation of the interim
and annual Financial Statements:
•
The appropriateness of the accounting policies used
•
Compliance with external and internal financial reporting standards
and policies
•
Significant areas of management judgement or estimation
•
Assumptions and models used to determine fair value of all key
business units for the Group’s annual impairment review
•
Assessed the quality of earnings by reviewing one-off, out of period
or non-trading items arising over the year
•
Continued focus on the adherence to the Individually Significant
Items (ISIs) accounting policy and presentation of ISIs
•
Accounting for the disposal of non-core operations (Fox Crypto)
during the year
•
Accounting for the Group’s Escode business as discontinued
operations and asset held for sale
•
Disclosure and presentation of GAAP and Alternative Performance
Measures (APMs)
•
The effectiveness and changes to the financial control environment
•
Whether the Annual Report and Accounts, taken as a whole, is fair,
balanced and understandable and provides the information
necessary to assess the Group’s financial position, performance,
business model and strategy
•
Revenue recognition on material contracts to the Group
•
Going Concern and Viability Statement considering the potential
implications of the Group’s Escode Business as Discontinued
operations and Held-for-Sale Classification and the ongoing
Strategic Review of the Cyber Business
In carrying out this review the Committee challenged the significant
estimates and judgements made by the Group’s finance team and
considered the external auditor’s reports setting out its views on the
accounting treatments and judgements included in the
FinancialStatements.
I am pleased to present the Audit Committee Report for the year ended
30September 2025 to explain how we have discharged our responsibilities
with an overview of our principal activities and their outcomes.
Committee membership, attendees’ access
andobjectives
I have been Chair of the Audit Committee since 1 September 2022
andI am a Chartered Accountant with diverse sector experience
across listed companies, private equity and financial services in several
disciplines including risk management, internal control and financial
reporting. I am also currently Chair of NewRiver REIT plc and Pollen
Street Group and Non-Executive Director of Enfinium Group. From
17September 2025, I became a Special Adviser to the Board of
Domino’s Pizza Group, having stepped down from the Board as the
Senior Independent Director at the same date. The Board therefore
considers that I have the recent and relevant financial experience
required by the Code.
Mike Ettling, Julie Chakraverty and I all served on the Committee
throughout the period. All members of the Committee are considered
to be independent, and the Committee as a whole continues to have
competence in the technology sector.
Summary biographies of each member of the Committee are included
on pages 62 and 63.
The purpose of the Audit Committee is to provide oversight of an
organisation’s financial reporting, internal controls and compliance
withlaws and regulations, ensuring transparency and accountability
infinancial operations on behalf of the Board. The Committee also
provides a forum for reporting by the external auditor. Cyber risk and
controls are considered by the Cyber Security Committee. A full copy
of the Committee’s terms of reference can be found in the Investor
Relations section of the Group’s website.
Meeting frequency and attendance
The terms of reference for the Committee require at least three
meetings per year. During this financial year, the Committee met four
times. As well as the members of the Committee, standing invitations
are given to the Company Chair, the other Independent Non-Executive
Directors, the Chief Executive Officer, the Chief Financial Officer, the
SVP, Group Finance and the SVP, Global Governance, Procurement
and Estates, with other attendees also attending by invitation. The
external auditor also attends each meeting. During the year, the
Committee held meetings with the external auditor and the SVP, Global
Governance, Procurement and Estates and the Head of Risk and
Assurance without the Executive Directors and management
beingpresent.
Lynn Fordham
Chair, Audit Committee
Governance
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 71

Principal duties delegated to the Audit Committee
Areas delegated to
the Audit Committee Committee responsibilities Activities during the year
Financial
reporting
•
Monitoring the integrity of the Financial Statements
relating to the Group’s financial performance and their
compliance with the provisions of IFRS, the Companies
Act, the UK Corporate Governance Code, the Disclosure
Guidance Transparency Rules and other regulations
•
Reviewing material information and significant accounting
judgements contained in the Annual Report and Accounts
•
Advising the Board on the continuing appropriateness of
the Group’s existing accounting policies and the
application of any new or modified accounting and
reporting standards
•
Continued focus on quality of earnings and adherence to
Individually Significant Items accounting policy
•
Reviewed all significant accounting areas and areas of key
estimation. Reviewed PwC audit conclusions in these areas
with significant discussions around the Group’s annual
impairment review,assumptions and resultant disclosures
Narrative
reporting
•
Advising the Board on the effectiveness of the processes
ensuring that theAnnual Report and Accounts, when
taken as a whole, is fair, balanced and understandable
•
Considered recent technical updates including guidance
issued bythe Financial Reporting Council
•
Reviewed management’s Going Concern and Viability
Statement assessment, including macro-economic
considerations. Reviewed PwC audit conclusions in
theseareas
•
Reviewed a summary of why management considers the
Annual Report is fair, balanced and understandable
Internal controls
and risk
management
systems
•
Reviewing the effectiveness of the Group’s internal
controlsystems
•
Reviewing the nature and extent of significant financial
risks and how they can be mitigated
•
Received regular briefings from the SVP, Global
Governance, Procurement and Estates summarising risk
management and controlissues
•
Received a self-assessment of the finance controls
highlighting enhancements made during the year, areas
ofcontinuous improvement and specific actions to
implement minimum controlstandards
•
Planning for regulatory changes arising from the new
corporate governance reform requirements, including
identifying material controls and other legislation such as
the failure to prevent fraud
•
Monitoring ESG reporting, including progress on TCFD
and CSRD, and embedding sustainability into the business
Compliance,
whistleblowing
andfraud
•
Reporting to the Board on the procedures for responding
to whistleblowing, fraud or potential breaches of
anti-bribery legislation
•
Received a summary of regulatory updates covering
whistleblowing, fraud and anti-bribery as well as health and
safety updates documenting new initiatives and activities
•
Review of the failure to prevent fraud legislation including
updating our policies, risk assessment and training
•
Review of any whistleblowing findings resulting
frominvestigations
Internal audit
•
Reviewing the internal audit reports discussing any major
control failures orweaknesses
•
Reviewed the findings from the internal audit assignments
conducted during the year and approved the Internal
Audit Plan for the forthcoming year
•
Approved the Internal Audit Charter
•
Commissioned an External Quality Assessment of the risk
andassurance function, required every five years per the
new CIIAStandards
External audit
•
Reviewing the audit findings with the external auditor
including discussing any major issues that arise during
anaudit, the accounting and audit judgements made,
thelevel of any errors identified during the audit and the
effectiveness of the audit process itself
•
Making recommendations to the Board in relation to
theappointment of theexternal auditor, approving its
remuneration and terms of engagement
•
Overseeing the relationship with the external auditor
including, but not limited to, assessing its independence,
objectivity and effectiveness
•
Reviewed the findings from the audit for the year ended
30September 2025
•
Following the completion of PwC’s FY24 audit, the
Committee was informed that the FRC’s Audit Quality
Review (AQR) team had chosen the Group’s audit for its
review. The Committee has received a copy of the review
and was pleased to note that it did not identify any key
findings and only one limited improvement is required
Audit Committee report continued
NCC Group plc — Annual report and accounts for the year ended 30 September 202572

Goodwill carrying value
(Recurring item: see Note 11 to the Financial Statements)
The Group has significant balances relating to goodwill as at
30September 2025 as a result of acquisitions of businesses in previous
years. The carrying value of goodwill at 30 September 2025 is £46.3m
(30 September 2024: £156.5m). Goodwill balances are tested annually
for impairment. The Group allocated goodwill to cash generating units
(CGUs) which represent the lowest level of asset groupings that
generate separately identifiable cash inflows that are not dependent
onother CGUs.
The Group completed its annual impairment review as at 30 September
2025 and concluded that no impairment of goodwill balances wasrequired.
Fair value less costs to sell
In accordance with IAS 36, during the year ended 30 September 2025,
tests for impairment are based on the calculation of a fair value less costs
to sell (FVLCTS) which has been used to establish the recoverable amount
of the CGU. The FVLCTS valuation of each standalone CGU has been
calculated by determining sustainable earnings, which are based on
Adjusted EBITDA
1
, and applying a reasonable market multipleon the
calculated sustainable earnings. Estimated sustainable earnings have
been determined taking into account past experience and includes
expectations based on a market participant view of maintainable
performance of the business based on market volatility and uncertainty
asat 30 September 2025. The sustainable earnings input is a level 3
measurement; level 3 measurements are inputs which are normally
unobservable to marketparticipants.
The sustainable earnings figures used in this calculation include
keyassumptions regarding sustainable revenues and costs for the
business. If the assumptions and estimates used in this valuation prove
to be incorrect, the carrying value of goodwill may be overstated.
During this year, the Committee has reviewed the Group’s latest
available forecasts, along with its ongoing execution of the new strategy
and management’s future action plans, as part of its consideration of
the utilised sustainable earnings figures.
The Group incurs certain overhead costs in respect of support
servicesprovided centrally to the CGUs. Such support services
includeFinance, Human Resources, Legal, Information Technology
andadditional central management support in respect of stewardship
and governance. In calculating sustainable earnings these overhead
costs have been allocated to the CGUs based on the extent to which
each CGU has benefited from the services provided. This allocation is
primarily based on the time spent by the relevant central department in
supporting each CGU, informed by headcount or another reasonable
proxy where available. Where possible, specific cost allocations have
been applied. The methodology remains consistent with the prior period
to ensure the allocation reflects the Group’s operating model.
The Adjusted EBITDA
1
multiple used in the calculations is based on
anindependent third party assessment of the implied enterprise value
(from a market participant perspective as at 30 September 2025) of each
CGU based on a population of comparable companies and precedent
transactions. The estimated cost to sell was based on other recent
transactions that the Group has undertaken.
The Committee reviewed the FVLCTS calculations, including the
sustainable earnings assumptions and the applied multiple. This review
considered independent third-party valuations as at 30 September 2025,
which reflect a market participant view of business performance in light
of prevailing market volatility and uncertainty.
Impairment conclusions
The Committee assessed the recoverable amount of each CGU using
fair value less costs to sell as at 30 September 2025, after applying
themethodology described above. The Committee concurred with
management’s view that, in all cases, the recoverable amount exceeded
the carrying amount and, accordingly, no impairment losses were
recognised for the year ended 30 September 2025.
Sustainable earnings include a key assumption regarding the
achievement of forecast revenue within each CGU assessment.
The Committee reviewed the sensitivity analysis prepared by
management, focusing on reasonably possible changes to this key
revenue assumption. In particular, the Committee considered the
impact of a 10% shortfall in forecast revenue (after factoring in
controllable variable cost reductions and maintaining margins) and
concurred with management’s view that, under this scenario, the
recoverable amount of each CGU would continue to exceed its
carryingamount, and no material impairment would arise.
Discontinued operations and held-for-sale classification
(New item: see Note 16 to the Financial Statements)
Held-for-sale classification
Under IFRS 5, a disposal group is classified as held for sale when
management is committed to a plan to sell, the asset is available for
immediate sale in its present condition, the sale is highly probable and
expected to complete within 12 months, and the disposal group is
measured at the lower of its carrying amount and fair value less
coststosell.
During the year, the Group committed to a plan to dispose of its
Escodebusiness, which met the above criterion and has therefore
beenclassified as held for sale as at 30 September 2025. Management
determined the sale to be highly probable and expected to complete
within 12 months. Accordingly, assets of £198.0m and associated
liabilities of £39.8m relating to the Group’s Escode business have
beenpresented as held for sale as at 30 September 2025.
The Committee reviewed and concurred with management’s
assessment of the held-for-sale classification, including the
appropriateness of the measurement basis and related disclosures.
Discontinued operations
Under IFRS 5, a disposal Group is classified as a discontinued
operation when:
•
It is a component of the entity
•
It has either been disposed of or is classified as held for sale
•
It represents a separate major line of business or geographical area
of operations, or is part of a single co-ordinated plan to dispose of
such a component
Escode represents a major line of business within one of the Group’s
two reportable segments, contributing 21.8% of Group revenue (2024:
20.3%) and 35.0% of Group gross profit (2024: 34.0%). Given Escode
also met the criteria for classification as held for sale at 30 September
2025 (as described above), the Committee reviewed and concurred
with management’s assessment that the requirements for discontinued
operations were satisfied as at 30 September 2025, including the
adequacy of all related disclosures.
1 Adjusted EBITDA are Alternative Performance Measures (APMs) and not IFRS measures. See unaudited Appendix 1 and the Financial Review for an explanation of APMs and adjusting
items, including a reconciliation tostatutory information.
Governance
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 73

The Group’s approach to materiality
In considering the materiality of any individual issue or issues in
aggregate, the Group looks at a range of qualitative and quantitative
measures to assess whether omitting, misstating or obscuring
information could reasonably be expected to influence decisions that
the primary users of general-purpose Financial Statements make on the
basis of those Financial Statements. The range of measures includes
(but is not limited to) the primary Financial Statements themselves, the
individual line item in question, and whether the issue moves the result
from one side of an inflection point to another (for example, turning a
profit into a loss or a net asset into a net liability). Qualitative and
quantitative measures are both considered, as is any potential impact
on remuneration or banking arrangements such as debt covenants.
Internal audit
The risk and assurance function is responsible for internal audit, and
the provision of assurance in relation to financial, operational and quality
systems and processes. The team is responsible for supporting the
implementation of risk management across the business and monitors
the implementation of related action plans. During the year, 19internal
audit reports were issued to the Audit Committee covering a range of
risk areas including but not limited to key financial controls, backup
controls, HR and payroll processes, including IR35, expenses and
business cases.
The Audit Committee maintains an ongoing review of the risk
andassurance function, which reports directly into the Chair of the
Committee. The Committee is responsible for approving the content
and coverage of the Internal Audit Plan, which documents the links
tothe Group’s strategic risks, key controls and associated assurance
coverage. In addition, the risk and assurance team has a co-source
arrangement as required for IT specialist audits and also utilises the
cyber experts from within the business. The members of the risk and
assurance team are all qualified in ACA, ACCA, CIMA, or hold the
CIIAqualification. The Internal Audit Plan also includes time for the
continual professional development of the team.
The work of the risk and assurance function is a regular standing agenda
item at all Committee meetings where a full update is provided including
updates on audit and assurance activities, progress againstthe Internal
Audit Plan, and commentary and tracking of the implementation of agreed
management actions to address deficiencies in an expedited manner.
All internal audit reports are provided to the PwC external audit team
and discussed during regular catch-up meetings. The Internal Audit
Plan is reviewed to ensure continued relevance, or is adjusted to the
current environment taking a risk-basedapproach.
In FY25, the risk and assurance team has carried out a gap analysis
against the 2024 CIIA Standards and commissioned an external quality
assessment which is required once every five years. The output will be
shared with the Audit Committee in early FY26.
Internal controls and risk management
The Board is responsible for establishing, maintaining and monitoring
the Group’s system of risk management and internal control and
reviewing its effectiveness. The Committee monitors the performance
of management in this area.
We have an ongoing process for identifying, evaluating and managing
the principal risks faced by the Group, which has been in place for the
year under review and is deemed effective up to the date of approval of
the Annual Report and Accounts.
The Group’s non-Cyber Security risks are monitored by the Audit
Committee on behalf of the Board, which sets aside time for an
in-depth discussion of notable or changing risks to the business.
A description of the process for managing risk, together with a
description of the principal risks and strategies to manage those risks,
is provided on pages 29 to 37. Cyber risks are reviewed by the Cyber
Security Committee; the Cyber Security Committee Report can be
found on pages 79 and 80.
Internal control systems are designed to meet the needs of the Group
and the risks to which it is exposed. By their nature, however, internal
control systems are designed to manage rather than eliminate the risk
of failure and can provide only reasonable but not absolute assurance
against material misstatement or loss. Key elements of the risk
management and internal control system are described below.
Controls relating to financial reporting and preparation of the
Annual Report and Accounts
•
Information provided to management covering financial performance
and key performance indicators, including non-financial measures
•
A robust internal review process to ensure the integrity of the
preparation of the Annual Report and Accounts
•
A detailed budgeting process where business units prepare plans
forthe coming year
•
Procedures for the approval of capital expenditure and investments
and acquisitions
•
Monthly operational reviews to monitor and reforecast results as
required against the annual operating plan, with major variances
followed up and management action taken where appropriate
•
The Group finance manual
Other controls
•
Defined management structure and delegation of authority to
Committees of the Board, subsidiary boards and associated
business units
•
Regional governance committees have been established to provide
management with ongoing oversight
•
Recruitment standards and compliance training to ensure the
integrity and competence of staff
•
Annual economic crime, ethics, data protection, information security,
health and safety, export controls, sexual harassment and climate
change mandatory training for all colleagues
•
Clearly documented internal procedures set out in the Group’s
ISO9001-2015-accredited quality manual
•
Regular internal audits of key processes and procedures under
theGroup’s ISO 9001 and ISO 27001-accredited quality
assuranceprocess
•
Monitoring of any whistleblowing or fraud reports
The external auditor regularly reports its findings on those areas of
internal control which it assesses as part of the external audit to the
Board and the Audit Committee.
Our internal control effectiveness is assessed through the performance of
regular checks, which in the year ended 30 September 2025 included:
•
Assessment of the identification and management of risks connected
to the Group’s strategy and management of strategic change
•
Reviewing and testing the Group’s financial reporting processes
•
Performing compliance monitoring activities for travel, expenses and
health and safety
•
Assessment of the Group’s processes for identifying and mitigating
potential conflicts of interest
•
Monitoring the completion of the Group’s mandatory
compliancetraining
Following these regular checks, it was deemed that the controls were
effective and the internal control systems are designed to meet the
needs of the Group and its risks.
Compliance with the revised Corporate Governance Code is being
reviewed with a dry run planned for FY26. This will be discussed with
the Audit Committee and progress updates communicated
throughoutFY26.
Audit Committee report continued
NCC Group plc — Annual report and accounts for the year ended 30 September 202574

Whistleblowing and confidential reporting procedures
The Group operates a confidential reporting and whistleblowing
procedure (known as our “whistleblowing policy”). The policy aims to
support the stewardship of the Group’s assets and the integrity of the
Financial Statements as well as protecting colleague welfare. The
procedure is reviewed annually by the Committee to ensure that it
remains fit for purpose.
The Group has appointed an independent third party reporting agent
tobe the first point of contact for those who do not wish to use normal
internal line management channels for reporting their concerns. This is
advertised both internally, via colleague noticeboards and our intranet,
and externally on the website. Colleagues are asked to undertake
mandatory training on an annual basis including a reminder on the
Code of Ethics policy and the whistleblowing helpline.
The Committee reviews any whistleblowing or confidential reporting of
concerns raised during the year with respect to their nature, scale and
any associated or consequential risks.
Review of the Audit Committee’s effectiveness
For the reasons described in the Chair’s Introduction to Governance,
noBoard or Committee evaluation was carried out during the year.
External auditor appointment
The Committee is responsible for overseeing the relationship with the
external auditor, including recommending to the Board their appointment,
reappointment and removal, assessing their independence on an ongoing
basis and approving the statutory audit fees. The Committee notes
thepublication in May 2023 of the FRC’s Audit Committees and the
External Audit: Minimum Standard. In making these recommendations
the Committee considers:
•
The experience, industry knowledge and expertise of the auditor
•
The scope and planning of the audit and any variations from the plan
•
The quality of the processes adopted
•
The auditor’s explanations of significant risks to audit quality by
reference to the Company’s specific circumstances and changes
tothe risks
•
The fees charged
•
Its attitude to, and handling of, key audit judgements
•
Its ability to challenge and communicate effectively with management
•
The quality of the final report
•
The FRC’s Audit Quality Review report relating to the auditor
•
The appropriate and effective use of experts and specialists
PwC were appointed as the Group’s external auditors during the
16-month period ended 30 September 2024. The current audit
engagement partner has now served for two periods.
The external audit
As part of the Board’s responsibility to ensure the integrity of the Company’s
financial reporting and audit processes, the Audit Committee undertook
a review of the effectiveness of the externalaudit.
PwC is engaged to express an opinion on the Financial Statements.
Itreviews the data contained in the Financial Statements to the extent
necessary to express its opinion. It discusses with management the
reporting of results and the financial position of the Company and presents
findings to the Committee. Where it makes recommendations in its report to
the Committee, the Committee reviews them and agrees with management
the manner and extent to which they should beimplemented.
Each of the Directors in office at the date of this report is not aware of
any relevant information that has not been made available to PwC and
each Director has taken steps to be aware of all such information and
toensure it is available to PwC. PwC’s audit report is published on
pages 99 to 103.
Auditor’s independence and objectivity
The Audit Committee confirms that the Company has complied with the
provisions of the Statutory Audit Services for Large Companies Market
Investigation Order 2014 during the financial year.
The Committee received a formal statement of independence from
theexternal auditor.
The Committee recognises the importance of ensuring that the
independence and objectivity of the external auditor is not impaired
through the provision of non-audit services. We have in place robust
policies on the use of auditors for non-audit work. Additionally, the Audit
Committee’s approval is also required for any fees for any non-audit
work undertaken by the auditor.
During the year, the Group paid PwC £80,000 (2024: £80,000) for its
review of the interim Financial Statements and £2,000 (2024: £2,000)
for access to a generic online accounting manual (both of which are
non-audit services). These represented 5.1% (2024: 4.9%) of the total
audit fees. No other non-audit services were provided by the
externalauditor.
All significant pieces of non-audit work are put to informal tender to
suitable parties that, if appropriate, can include the external auditor.
Upon review as to suitability and price, the work will then be placed with
the service provider recommended. If this is the external auditor, then
Audit Committee approval is required. The external auditor was not
engaged during the year to provide any services which may have given
rise to a conflict of interest. The Committee is satisfied that the overall
levels of audit and non-audit fees are not material relative to the income
of the external auditor as a whole and therefore that the objectivity and
independence of the external auditor were notcompromised.
During the year, our external auditor received ad hoc Cyber Security
services in the ordinary course of business, totalling £13,431 (2024:
£151,861). The Committee is satisfied that this work is immaterial and
provided on normal commercial terms to both the external auditor and
the Company and therefore the objectivity and independence of the
external auditor are not compromised.
External auditor’s effectiveness
Since its appointment, PwC has been fully engaged with both
management and the Audit Committee to ensure a smooth and
effective implementation of the audit. This has included:
•
Audit planning: PwC presented a detailed audit plan for the
financial year ended 30 September 2025, which included its
approach to significant areas of risk.
•
Independence: PwC has confirmed its independence in
accordance with applicable regulations and has established rigorous
controls to ensure this is maintained throughout its engagement.
•
Engagement with management: Feedback from management
indicates that PwC has adopted a thorough and collaborative
approach to understanding the business’s operations, processes
andrisk areas.
During the financial year, I attended regular meetings with PwC’s
engagement partner without management being present. This provided
the opportunity for open dialogue. The engagement partner demonstrated
her understanding of the Group’s business risks and the consequential
impact on the Financial Statements.
The Audit Committee will continue to closely monitor PwC’s
performance throughout the audit period and conduct a post-audit
review to assess its effectiveness in delivering a high quality and
independent audit.
In line with the UK Corporate Governance Code, the Audit Committee
will continue to monitor the effectiveness of the external audit process
annually, ensuring that the Company’s auditor continues to meet the
highest standards of independence, audit quality and service.
Governance
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 75

Fair, balanced and understandable
The following process was followed by the Committee inmaking its assessment:
1. Financial information
•
Prepared by individual business units
•
Consolidated by Group finance team
•
Reviewed by SVP Group Finance and CFO
2. Narrative disclosures
•
Prepared by Group finance team
•
Reviewed by SVP Group Finance and CFO
•
Various reports prepared by Committee Chairs,
CEOandCFO
3. Independent reviewers
•
Senior members of the Executive Committee, Global
Leadership Team and/or otherseniorcolleagues
•
Those who have not been major contributors
4. Audit Committee Chair
•
Review of detailed verification documents
•
Review of findings and observations from
independentreviewers
1
Financial
information
3
Independent
reviewers
2
Narrative
disclosures
4
Audit
Committee
Chair
Related party transactions and other fees approved
by the Committee
Refer to Note 29 for related party transactions during the year.
Fair, balanced and understandable
At the request of the Board, the Committee considered whether
the2025 Annual Report and Accounts, when taken as a whole, was
fair, balanced and understandable (FBU) and whether it provided the
necessary information for shareholders to assess NCC Group’s position
and performance, business model and strategy. The reviews outlined in
the diagram below include reviews of all material matters, as reported
elsewhere in this Annual Report and Accounts, and reviews of the
balance of good and bad news and ensure the Annual Report and
Accounts correctly reflects:
•
The Group’s position and performance as described on pages 6
and7 and 40 to 57
•
The Group’s business model as described on pages 8 and 9
•
The Group’s strategy as described on pages 12 and 13
The independent reviewers were not major contributors to the Annual
Report and Accounts but, at the same time, as members of the
Executive Committee or other senior colleagues, are deemed to be
sufficiently well informed on the Group’s activities to be able to give
appropriate feedback on the FBU criteria. They undertake a qualitative
review of disclosures and internal consistency throughout the Annual
Report and Accounts. The Directors’ statement on an FBU Annual
Report and Accounts is set out on page 98.
Lynn Fordham
Chair, Audit Committee
11 December 2025
Audit Committee report continued
NCC Group plc — Annual report and accounts for the year ended 30 September 202576

Nomination Committee report
forthe Board to effectively support the Company’s strategy both in the
immediate future and over several years.
The Committee’s efforts in succession planning played a crucial role
inrecruitment activities over the years. In the forthcoming year, the
Committee will continue to prioritise the establishment of suitable
succession plans for various timeframes.
Diversity
Our objective is to have a broad range of skills, backgrounds,
experiences and personal attributes within the Board as this ensures
the Board is best placed to serve the Company.
All appointments are made on merit and against objective criteria
withdue regard for the benefits of diversity on the Board, including
gender identity, nationality and educational and professional background,
as well as individual characteristics which will enhance diversity of
thinking on the Board. NCC Group and the Committee value the aims
and objectives of the FTSE Women Leaders Review (formerly the
Hampton-Alexander Review on FTSE women leaders) and the Parker
Review on ethnic diversity of UK boards and support and apply the
Group’s diversity policy.
The Committee is also mindful of the Group’s diversity policy when
making appointments to the Board Committees (Audit, Cyber Security,
Nomination and Remuneration), ensuring an appropriate range of
backgrounds across Committee members to enhance quality
decisionmaking.
The Group’s gender diversity statistics are set out on page 19. At Board
level, we currently have three females, one of whom is a person of
colour; however, we note that diversity extends beyond the measurable
statistics of gender and ethnicity. We continue to take diversity in its
wider context into account, having regard to the diversity policy, and
recommend only the most appropriate candidates for appointment to
the Board.
During the year ended 31 May 2021, we made the firm commitment
that by 2024, we would have at least 33% female representation on our
Board and at least one person of colour. In 2022 we delivered on our
commitment and we will also meet the FTSE Women Leaders Review
target of 40% by the end of 2025. Although this is best practice for
FTSE 350 companies, we have committed to this target regardless
ofwhich share index we are in. Our Board now has 43%
femalerepresentation.
We remain focused on ensuring diversity within our leadership
population and will continue to address this during future Board and
Executive Committee appointments. Improvements in diversity are
often not a quick process; however, we are very mindful of the need to
continue to take positive action, and the matter remains an ongoing
priority on our agenda. Accessing the candidates we require to reach
this target will involve us looking beyond the obvious pool of existing
board directors within the UK and we are committed to ensuring that
we extend our talent search to other sectors and locations globally to
ensure we find a diverse pool of candidates to provide us with true
diversity of thought, culture and lived experience, around our
Boardtable.
When a new Director is appointed, they receive a full, formal and
tailored induction into the Company and discuss with the Chair to
identify any immediate and longer-term training requirements.
The Committee’s terms of reference can be found in the Investor
Relations section of the Company’s website. The terms of reference
arereviewed annually and updated when necessary.
Committee meetings
During this financial year, the Committee held one scheduled meeting.
The attendance of individual Committee members at Nomination
Committee meetings is shown in the table on page 65.
The members of the Nomination Committee are Julie Chakraverty,
Jennifer Duvalier and Lynn Fordham, along with me.
The Nomination Committee’s objectives
andresponsibilities
The Nomination Committee is responsible for reviewing the size,
structure, balance, composition and progressive refreshing of the
Board and its Committees and as such its duties include:
•
Reviewing the structure of the Board
•
Evaluating the balance of skills, knowledge, experience and diversity
on the Board
•
Making recommendations for further recruitment to the Board or
proposing changes to the existing structure of the Board, or
individual Directors
•
Reviewing the leadership needs of the Company, both Executive
andNon-Executive
•
Succession planning for Directors and other senior Executives within
the business
•
Recruiting, appointing and exiting of Directors
•
Overseeing membership of, and succession to, the various
BoardCommittees
•
Reviewing the time commitment required from the Non-Executive
Directors on NCC Group business
The Chair of the Board leads the process for the appointment of new
Non-Executive Directors to the Board and for the appointment of the
Chief Executive Officer. The Chief Executive Officer, in conjunction with
the Chair, leads the process for the Chief Financial Officer. The Senior
Independent Director leads the process for a new Chair of the Board.
In relation to an appointment to the Board, the Committee draws up
aspecification and assesses the capabilities and experience required
for such a role, taking into account the Board’s existing composition,
including relevant experience and understanding of our
stakeholdergroups.
We also assess the time commitment required. Candidates are sought
by third party executive search consultants and, where appropriate,
through the assessment of internal candidates and are then formally
considered by the Nomination Committee. Extensive external
referencing is also completed.
Board succession
The Committee is tasked with overseeing the succession planning
process and providing recommendations to the Board. It adopts a
long-term perspective on succession planning, consistently evaluating
Board tenure and diversity (with an emphasis on gender, cultural
background and experience), and identifying the skills necessary
Chris Stone
Chair, Nomination Committee
Governance
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 77

Activities during the year
During the year, the Committee:
•
Evaluated the skills, knowledge and experience around the
Boardtable
•
Reviewed the structure, size and composition of the Board
•
Reviewed the Directors’ length of service
•
Reviewed the diversity of the Board
•
Reviewed the memberships of all Committees
•
Reviewed the expected time commitment of the Chair and the
Non-Executive Directors
During the year, the Nomination Committee has had an in-depth
presentation from the Chief People Officer, focused on leadership,
succession planning and talent management and development,
informed by insights from our data analysis and the external environment.
These presentations looked at the overall current position, and in
particular senior succession, i.e. the Executive Committee and its
directreports.
Presentations and updates during the year
This year the Committee has had a number of presentations and
updates on various colleague matters across the Group, including:
•
Undertook a deep dive into Board composition and succession,
inclusive of Chair succession
•
Reviewed achievements over the previous year for the global people
team and looked forward to priorities for the year ahead
•
Reviewed our ongoing development of capability, with a particular
focus on senior succession and talent
•
Reviewed our approach to collecting colleague diversity data, with
afocus on building colleague sentiment
•
Considered the generational perspectives of colleagues within
theGroup and their diverse needs from an organisational and
leadership perspective
•
Received comprehensive colleague engagement briefings on survey
results from the “MyVoice” survey (which utilises the Glint platform),
along with the agreed next steps and future commitments in response
to colleague feedback. Exit interview data and key themes were also
presented to the Committee
•
Reviewed both present and former colleague sentiment on
Glassdoor and LinkedIn
•
Explored our current global leadership KPIs and discussed
opportunities for improvement
To support the ambition and our commitment to improving global
diversity, we continue to focus on:
Processes
•
Removing barriers to entry and making our talent attraction and
acquisition experience best in class, leading to a review of our
selection methodology and a new framework being developed,
tohelp level the playing field for under-represented communities,
remove bias and create a robust and valid way of identifying and
selecting talent
•
The ongoing review of our policies, processes and documentation to
ensure all bias is removed (including adverts and job descriptions),
and ensuring the use of inclusive language wherever possible
Culture
•
We continue to embed our behavioural framework into the
businessvia our global, hiring, onboarding and manager
capabilityprogrammes
•
We completed the rollout of our Enabling Performance Leadership
programme to our Group leadership team (GLT)/extended leadership
team (ELT) populations. We also delivered a series of other management
development interventions to support leadership and manager capability
•
Our colleague resource groups have continued to meet regularly and
there has been some investment with external partnerships and events.
The intention is to continue to have an ExCom sponsor to provide support
for our DEI colleague resource to make a positive change and build
awareness, to foster inclusion, awareness and meaningful conversations
while empowering colleagues to make positive change and cultivate
an inclusive working environment
•
Moments that Matter continues to embed and evolve as a suite of
supportive, people-focused policies designed around our colleagues
and their needs
Colleague voice
•
Committed to an ongoing open dialogue with our colleagues,
through our biannual engagement survey (“MyVoice”), colleague
forums, live leadership “Ask Me Anything” sessions, Board
engagement sessions with colleagues, our colleague resource
groups, listening sessions and our whistleblowing lines which all play
an active role in creating a great place to work (for further information,
please see the Stakeholder Engagement section on pages 14 and 15)
•
We have a “Speak Up” framework which was launched globally the
previous year to provide clear guidance and signposting to colleagues,
covering the various routes to raise concerns, and the relevant
policies to address these issues where required, as well as to share
colleague feedback
•
NCC Diamonds, our annual colleague recognition programme,
completed its fifth cycle. NCC Diamonds provides colleagues across
the organisation with the opportunity to nominate individuals or
teams for the incredible work they do, recognising the brilliance and
accomplishments of their peers. Nominations are linked to our NCC
Group values, followed by regional and global judging panels, with
each category winner receiving a “money can’t buy” experience
Long term
•
We continue to develop our employer brand to broaden our
attraction strategies to ensure we remain current and attractive
inanextremely competitive global tech talent market
•
Building strategic partnerships with organisations to support our
commitment to create an inclusive and diverse environment
•
Connecting the initiatives at every stage of colleagues’ lives and
careers to create enriched career pathways and achieve the best
return for investment with improved colleague retention. Initiatives
include work experience, the Next Generation Talent programme,
mentoring and CyberFirst bursaries and alumni programmes
Committee effectiveness
For the reasons described in the Chair’s Introduction to Governance,
noBoard or Committee evaluation was carried out during the year.
External search consultancies
During the year, no external search agencies were engaged.
Chris Stone
Chair, Nomination Committee
11 December 2025
Nomination Committee report continued
NCC Group plc — Annual report and accounts for the year ended 30 September 202578

The Cyber Security Committee’s objectives
andresponsibilities
The Cyber Security Committee is responsible for assessing the
performance of the Group’s internal security and defences and as such
its duties are to:
•
Oversee and advise the Board on the current cyber risk exposure
ofthe Group and future cyber risk strategy
•
Review at least annually the Group’s Cyber Security breach
response and crisis management plan
•
Review reports on any Cyber Security incidents and the adequacy
ofresulting actions
•
Receive and consider the regular update reports from the DIS and
GC and ensure the DIS and GC are given the right of direct access
to the Committee
•
Consider and recommend actions in respect of all cyber and data
protection risk issues escalated to it
•
Keep under review the effectiveness of the Group’s controls,
services and products to analyse potential vulnerabilities that could
be exploited
•
Regularly assess what the Group’s most valuable intangible assets
are and the most sensitive Group and customer information and
assess whether the controls in place sufficiently protect those assets
andinformation
•
Review the Group’s ability to identify and manage new cyber risks
•
Assess the adequacy of resources and funding for data protection
and Cyber Security defence and control activities
•
Regularly review the cyber and data protection risk posed by third
parties including outsourced IT and other partners
•
Oversee Cyber Security and data protection due diligence
undertaken as part of an acquisition and advise the Board of the
riskexposure
•
Annually assess the adequacy of the Group’s cyber insurance cover
The Committee’s terms of reference can be found in the Investor
Relations section of the Company’s website. The terms of reference
arereviewed annually and updated when necessary.
The Cyber Security Committee was formed to focus specifically on the
cyber and data protection risks faced by the Group. This reflects the
significant threat posed by cyber risks, the nature of our business and
the potential damage to the business as a high value target for malicious
acts. The Committee’s activities aim to challenge and support improvements
to the Group’s information security and data protection policies, defences
and controls, so as to comply with global data protection regulations around
the world, and ensure that the Group looks after its own information,
and the information that its customers entrust to it, with the proper care
and attention.
The Committee was formed in November 2016 and I have been Chair
since July 2022.
Jennifer Duvalier and Lynn Fordham (both Independent Non-Executive
Directors) served as members of the Committee throughout the year.
Chris Stone (Company Chair) is also a member of the Committee.
The Group’s SVP, Global Governance, Estates and Procurement, the
Director of Internal Security (DIS), and the Group General Counsel
(also Head of Data Governance) (GC) are standing invitees of the
Committee. The Executive Directors are invited to attend Committee
meetings when the Committee considers it to be appropriate, as are
the Data Protection and Governance Officers.
Julie Chakraverty
Chair, Cyber Security Committee
Cyber Security Committee report
Governance
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 79

Committee effectiveness
For the reasons described in the Chair’s Introduction to Governance,
no Board or Committee evaluation was carried out during the year.
During the year the Committee, along with the Board, reaffirmed that
Cyber Security and data protection are sufficiently important risks for
the business and that the Committee should remain focused on this
specific set of risks. Therefore, the current structure in which the
responsibility for broader risk management remains with the Audit
Committee will continue.
Committee activities during the year
The continuing focus, in terms of Cyber Security, was ensuring the risks
to the Group remained well documented and the types of threats and
attacks were well understood, building on a risk analysis which was
performed during the year before to ensure cyber risks map to the
enterprise risk architecture, and the work of the Global Technical
Services (GTS) security team wastailored to the highest value areas.
Training has been a critical area once again this year, with an increased
emphasis on identifying phishing emails as this is an attack vector that
is frequently observed. All colleagues now partake in monthly phishing
exercises that cycle through difficulty levels to target different attacker
sophistication, with educational assistance sent out post-exercise to
help identify suspicious elements of an email that may indicate a
phishing attack. Board training and updates on developments within
Cyber Security are also provided regularly.
Turning to data protection, the regulatory landscape is continually
evolving – this past year saw regulatory updates including the Data
(Use and Access) Act 2025 (UK), the phased implementation of certain
aspects of the European Union Artificial Intelligence Act (EU AI Act), and
changes to Australia’s Privacy Act coming into effect, to name a few.
The data protection and governance team, along with colleagues in the
Group legal team, is working closely to stay abreast of such changes
and support the business accordingly. The team has also continued to
experience a number of Data Subject Rights Requests it receives as
individuals become more aware of their rights under GDPR.
Noteworthy highlights since our previous report include:
•
All Rights Requests received this year have been fulfilled within
legally compliant time periods.
•
Considerable work has gone into our public facing policies and
notices. The transparency of information provided to the public and
colleagues has significantly improved in line with best practice. This
includes the candidate notice (which is available in English, Spanish
and, in the coming weeks, Dutch) and sub-processor and third party
processor information, amongst others.
•
The project to transfer our Records of Processing Activities into
aunified system nears completion.
Following last year’s work on the standard terms and conditions,
furtherwork has been done to strengthen the Group’s data protection
position in client contracts through updates to the data processing
agreements. Additionally, appendices have been drafted for each
service line. Thisprovides clarity to clients and ensures a tailored
andcommercialapproach.
Committee meetings
During this financial year, although the Committee only met once,
meetings were held in September 2024 and October 2025 in the weeks
just preceding and following the financial year. The attendance of
individual Committee members at the Cyber Security Committee
meetings is shown in the table on page 65.
Julie Chakraverty
Chair, Cyber Security Committee
11 December 2025
Cyber Security Committee report continued
NCC Group plc — Annual report and accounts for the year ended 30 September 202580

Remuneration Committee report
Base salaries
During the year ended 30 September 2025, the Committee reviewed
and benchmarked both the CEO’s and CFO’s salary. The Committee
increased the CEO’s base salary by 2.5% taking Mike’s salary from
£561,350 to £575,384, with effect from 1 June 2025, which was slightly
lower than the increase for the wider workforce (circa 2.9%).
After due deliberation, the Committee agreed to increase Guy Ellis’s base
salary by 9.6% from £312,000 to £342,000 with effect from 1 June 2025.
As a reminder, on appointment (in June 2023), Guy’s salary was set
somewhat below the benchmark level (against similar sized peers
operating in IT services and adjacent sectors). Since then, Guy has not
just settled into the role but has exceeded expectations with positive
engagement with shareholders and significant contribution to various
initiatives. For these reasons we felt it was appropriate to award an
above workforce rate increase. Alongside this increase, the Committee
also increased Guy’s notice period from 6 to 12 months, recognising
hiscontribution to the business and the need to retain him for the
medium to long term.
For the forthcoming financial year, the Committee has taken the decision
toincrease Guy’s salary by a further 9.6% from £342,000 to £375,000,
with effect from 1 October 2025. The Committee was very mindful that
this increase follows shortly after the previous increase. However, since
the departure of the CIO, Guy is now also responsible for the Global
Technical Services (GTS) function. This is a significant change and step
up in Guy’s scope of responsibilities for which the Committee wanted to
ensure he was appropriately remunerated. It is anticipated at this stage
that future increases for Guy will be aligned to those for the workforce.
Performance related pay – annual bonus
The annual bonus targets for the year ended 30 September 2025 for
both the CEO and CFO were based on the satisfaction of stretching
financial and strategic targets.
The financial target of Group Adjusted operating profit for the year to
30September 2025 had a weighting of 60%. Group Adjusted operating
profit was £23.7m and this resulted in a payout of 24.8% of the 60%.
The strategic objectives had a weighting of 40% and covered a number
of areas supporting the pillars of the strategy, together with people and
operational excellence objectives.
The Committee determined that the strategic element should pay
outat36.5% for the CEO, and 40% for the CFO. Further detail on
performance against strategic objectives is provided later in the report.
This resulted in a total bonus for the year of 61.3% for the CEO and
64.8% for the CFO of maximum resulting in a bonus payout of £433,719
for the CEO and £260,820 for the CFO.
For both the CEO and CFO, 35% of the aggregate bonus in excess of
£50,000 earned over the year to 30 September 2025 will be deferred
into shares and will vest after two years. Clawback and malus
provisions are also in place for the bonus.
The Committee considered whether it should exercise any discretion
tothe bonus outcomes. The Committee concluded that the aggregate
outcomes from the financial and the strategic, non-financial elements
were a fair reflection of the performance in the relevant areas, and the
Committee therefore decided not to exercise any discretion.
For 2025/26, the Committee has considered the weighting of metrics
inthe annual bonus. The Committee concluded that the weighting on
the Group Adjusted operating profit should be maintained at 60% of
maximum, to continue to give appropriate emphasis to this metric. The
remaining 40% will apply to key strategic metrics, with stretching targets.
These will include targets linked to the pillars of the strategy, together
with people and operational excellence objectives. These will be fully
disclosed in the Remuneration Report for 2025/26.
On behalf of your Board, I am pleased to present our Directors’
Remuneration Report (DRR) for the year ended 30 September 2025.
The report is divided into three sections: the Remuneration Committee
Chair’s Statement, a brief summary of the shareholder approved
Directors’ Remuneration Policy for the period 2025–2028, and the
Annual Report on Remuneration for FY25.
At the AGM in January 2025, 80.33% of shareholders voted in favour of
the Directors’ Remuneration Report and 89.61% of shareholders voted
in favour of the Directors’ Remuneration Policy, and I would like to thank
shareholders for their continuing support on both these areas.
Annual statement
The Committee comprised Julie Chakraverty, Lynn Fordham and me
asChair. Our Board Chair, Chris Stone, also attended all meetings. Our
remuneration consultants, Chief People Officer, Director of Reward and
Benefits, CEO and other Executives, including the SVP, Group Finance,
were invited to meetings as required, although we always ensure that we
have time without Executives present, and no Executive was present
when decisions relating to their own reward were made.
The Committee closely monitors shareholder guidance and feedback
on remuneration. Shareholder voting on AGM remuneration resolutions
is reviewed annually, shareholders are consulted when changes to policy
are being considered and major shareholders have the opportunity to
provide annual feedback to the Board and Remuneration Committee on
NCC Group’s remuneration approach at annual engagement meetings.
Remuneration Policy and changes
Throughout the year ended 30 September 2025, we operated both
within the Remuneration Policy that was approved by shareholders
atthe AGM in November 2021 (until 28 January 2025), and then the
Remuneration Policy that was approved by shareholders at the AGM
inJanuary 2025 (from 28 January 2025).
The main changes to our Remuneration Policy were summarised
withinthe 2024 Remuneration Report, along with information as to how
we dealt with our change in year end from 31 May to 30 September,
andhow we dealt with a longer 16 month accounting period to
30September 2024.
Jennifer Duvalier
Chair, Remuneration Committee
Governance
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 81

Annual statement continued
Performance related pay – LTIP
During the year ended 30 September 2025, no LTIP awards were made
to either the CEO or CFO. As reported in the 2024 Directors’ Remuneration
Report, for the LTIP awards made in June 2024, the Committee proposed
an uplift to the award opportunity for all long-term incentive participants
of four months to allow for a smoother transition between LTIP grants
given the change to the accounting reference date. In the future, awards
will be granted in January with the performance period starting on
1October. Our next cycle of LTIP awards is scheduled to take place
ineither December 2025 or January 2026. The performance period for
these LTIP awards will be 1 October 2025 to 30 September 2028.
The 2022 LTIP (in which only the CEO participated) vested at 20% of
maximum. This was based on the cash conversion element (weighting
20%) being achieved in full, but with below-threshold achievement of
the EPS growth and TSR metrics. The Committee considered whether
any downward discretion should be applied to the overall vesting
outcome. It concluded that it remained important to recognise and
continue to incentivise strong levels of cash conversion and that it
would not be appropriate to apply discretion to the payment outcome
given the relatively low weighting on this element. The Committee also
considered NCC Group’s underlying performance and the experience
of both our shareholders and wider workforce.
Non-Executive Director and Chair’s fees
In accordance with our Remuneration Policy, the fees for Non-Executive
Directors were reviewed by the Company Chair, CEO and CFO, based on
data provided by our remuneration consultants. After careful consideration,
it was determined that these would be increased by 5% during 2024/25
with the increases being effective 1October2024. Thiswas against
benchmarked data and the fact that Non-Executive Directors had not
had any increases to base fees since 1 June 2022.The base fee was
increased from £51,500 to £54,000.
The Remuneration Committee also conducted a review of the fees for
the Board Chair, utilising data provided by our remuneration consultants.
After careful consideration, it was determined that these would be
increased by 5% during 2024/25 with the increases being effective
1October 2024. This was against benchmarked data and the fact that
the Chair fee had not had any increases since 1June2022. The base fee
was increased from £154,500 to £162,225. In addition, in December 2025
the Committee increased the Chair’s base fee by 2.5% taking Chris’s
fee from £162,225 to £166,280, with effect from 1 October 2025, which
was slightly lower than the increase for the wider workforce (circa 2.9%).
Details of these fees and allowances are given in the Annual Report
onRemuneration on page 92
Grants of shares under a below-Board Restricted
Share Plan to broaden colleague share ownership
We remain committed to broadening share ownership throughout the
Group, both as a reward and a retention tool. During the year, we made
further grants to over 170 colleagues under our Restricted Share Plan
(RSP) in January 2025, and in July 2025 made an inaugural grant to
allcolleagues, around 120, in the Philippines who had passed their
probation period.
In addition, we also offered colleagues the opportunity to participate
inour Save As You Earn/stock purchase share plans in the UK, the US,
Canada, the Netherlands, Australia, Spain and (for the first time) the
Philippines. Once again, these proved popular with high take-up levels.
The Group also continues to operate and actively promote the Share
Incentive Plan (SIP) for UK-based colleagues, further increasing our
commitment to cost effective colleague share ownership.
Colleague engagement
There are a number of existing channels of communication with
colleagues with regard to NCC Group’s remuneration policies and
executive remuneration. Our engagement survey enables colleagues to
provide feedback confidentially on many employment issues, including
remuneration. Our designated NED for workforce engagement also
held a number of colleague engagement sessions during the year in
which colleagues were invited to provide feedback and comments on
any issue, including executive remuneration and broader remuneration
policies. In particular, a question and answer discussion is always held
on executive remuneration and how this aligns with the wider Company
pay policy. Our designated NED also reminds colleagues where the
information can be located and answers any questions as they arise.
The Committee also receives regular feedback from the Chief People
Officer and the Director of Reward and Benefits on how colleagues
perceive our remuneration policies and practices in the context of
recruitment, retention and motivation. This information is used by the
Committee in its monitoring and development of remuneration policies.
Conclusion
The 2025 Directors’ Remuneration Report will be put to the usual
annualadvisory vote at the AGM on 3 March 2026. The Committee
iscommitted to engagement and transparency and I welcome the
opportunity for discussion of the Group’s remuneration with shareholders,
at our AGM or at any other time during the year, and look forward to
your continuing support.
Jennifer Duvalier
Chair, Remuneration Committee
11 December 2025
Remuneration Committee report continued
NCC Group plc — Annual report and accounts for the year ended 30 September 202582

Remuneration at a glance
The Directors’ Remuneration Policy was approved by shareholders at the AGM on 28 January 2025 and our approach to implementing this for our
Executive Directors can be found below:
Element Approach Approach for FY25 Approach for FY26
Salary Reviewed annually taking into account Group
and personal performance. Increases are
normally in line with the wider workforce but
also take into account other factors such as
changes to responsibility, development and
complexity of the role.
Salaries from 1 October 2024:
•
Mike Maddison (CEO) –
£561,350
•
Guy Ellis (CFO) – £312,000
until 1 June 2025, £342,000
from 1 June 2025
Salaries from 1 October 2025:
•
Mike Maddison (CEO) –
£575,384
•
Guy Ellis (CFO) – £375,000
Benefits Benefits principally include private
medicalinsurance, income protection
andlifeassurance.
As per the policy. No change for FY26.
Pension Pensions for FY25 were in line with
themaximum employer contribution available
tothe majority of the workforce.
Pensions in line with the
workforce rate of 4.5% ofsalary.
No change for FY26.
Annual bonus Maximum annual bonus of 125% of salary.
35% of any bonus payment in excess of
£50,000 is normally deferred into shares or
nominal cost share options which vest after
atwo year period.
Malus and clawback provisions apply.
Maximum annual bonus of 125%
of salary.
Performance measures:
•
60% Adjusted operating profit
•
40% strategic objectives
No change for FY26.
Long Term
IncentivePlan
Maximum annual award levels:
•
Mike Maddison (CEO) – 175% of base salary
•
Guy Ellis (CFO) – 150% of base salary
Awards have a performance period of at least
three years and are normally subject to a further
holding period of two years.
Malus and clawback provisions apply.
For FY25, neither of the
Executive Directors were
grantedawards.
LTIP awards are expected to
bemade in December 2025/
January 2026 during the financial
year ending 30September 2026,
which will be for performance
period 1October 2025 to
30September 2028.
Shareholding
requirement
200% of salary.
Post-cessation shareholding guidelines of 200% of
salary for year one and 100% of salary for year
two after stepping down as an Executive Director.
As per the policy. No change for FY26.
FY25 annual bonus outcome
Performance measure Threshold (20%) Target (40%) Maximum (60%) Actual Weighting Outcome achieved
Adjusted
operatingprofit
£23 .1m £25.6m £ 29.1m £23.7m 60% 24.8%
Strategic The strategic targets were set individually for the Executive
Directors based on key strategic objectives for the year in their
area of responsibility – more details can be found on page 86.
Strategic
(seepage86)
40% CEO – 36.5%
CFO – 40.0%
Total 100% 100% CEO – 61.3%
CFO – 64.8%
2022 LTIP award outcomes
Performance measure
Threshold
(15% vesting)
Target
(50% vesting)
Maximum
(100% vesting) Actual Weighting Outcome achieved
Adjusted EPS growth 6% N/A 18% (31%) 60% 0%
Cash conversion 80% 85% 90% 92% 20% 20%
TSR Median N/A Upper quartile Lower quartile 20% 0%
Total 100% 20%
Governance
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 83

Annual Report on Remuneration
This part of the report has been prepared in accordance with Part 3 of The Large and Medium-sized Companies and Groups (Accounts and Reports)
(Amendment) Regulations 2013 as amended and 9.8.8R of the Listing Rules.
The following report will be subject to an advisory shareholder vote at the AGM, which is scheduled to be held on 3 March 2026. The information
onpages 81 to 93 has been audited where indicated.
How the Remuneration Policy has been implemented in the year ended 30 September 2025
This section sets out how the Remuneration Policy was implemented in 2024/25. The key implementation decisions during the year related to:
•
Review of salaries for the Executive Directors
•
The determination of bonus outcomes for the 2024/25 performance period
•
The performance outcome of the 2022–2025 LTIP
Further detail on these decisions, together with other information on payments made to Directors, is set out in the following sections.
Single total figure of remuneration (audited)
The detailed emoluments received by the Executive and Non-Executive Directors for the year ended 30 September 2025 are below. For ease of
comparison, a 12 month period to 30 September 2024 has also been shown (these figures are, however, unaudited, with the audited figures being
the 16 month period to 30 September 2024).
Director Period ended
Salary/
Non-Executive
Director fees
1
£000
Benefits
2
£000
Pension
benefits
3
£000
Total
fixed pay
£000
Annual
bonus
4
£000
Long-term
incentive
5
£000
Total
variable
pay
£000
Total
£000
Chris Stone 30 Sept 2025 171 — — 171 — — — 171
12 months to
30Sept 2024 163 — — 163 — — — 163
16 months to
30Sept 2024 217 — — 217 — — — 217
Mike Maddison 30 Sept 2025 566 7 26 599 434 127 561 1,160
12 months to
30Sept 2024 550 7 24 581 582 — 582 1,163
16 months to
30Sept 2024 710 14 32 756 757 — 757 1,513
Guy Ellis
8
30 Sept 2025 322 6 14 342 261 — 261 603
12 months to 30
Sept 2024 304 6 14 324 301 — 301 625
16 months to 30
Sept 2024 379 8 17 404 380 — 380 784
Julie Chakraverty
6
30 Sept 2025 88 — — 88 — — — 88
12 months to
30Sept 2024 85 — — 85 — — — 85
16 months to
30Sept 2024 114 — — 114 — — — 114
Jennifer Duvalier 30 Sept 2025 70 — — 70 — — — 70
12 months to
30Sept 2024 67 — — 67 — — — 67
16 months to
30Sept 2024 90 — — 90 — — — 90
Lynn Fordham
7
30 Sept 2025 70 — — 70 — — — 70
12 months to
30Sept 2024 67 — — 67 — — — 67
16 months to 30
Sept 2024 90 — — 90 — — — 90
Mike Ettling 30 Sept 2025 59 — — 59 — — — 59
12 months to
30Sept 2024 56 — — 56 — — — 56
16 months to
30Sept 2024 75 — — 75 — — — 75
Tim Kowalski 30 Sept 2025 — — — — — — — —
12 months to
30Sept 2024 — — — — — — — —
16 months to
30Sept 2024 28 2 1 31 — — — 31
Chris Batterham 30 Sept 2025 — — — — — — — —
12 months to
30Sept 2024 — — — — — — — —
16 months to
30Sept 2024 28 — — 28 — — — 28
Total 30 Sept 2025 1,346 13 40 1,399 695 127 822 2,221
12 months to
30Sept 2024 1,292 13 38 1,343 883 — 883 2,226
16 months to
30Sept 2024 1,731 24 50 1,805 1,137 — 1,137 2,942
Remuneration Committee report continued
NCC Group plc — Annual report and accounts for the year ended 30 September 202584

1 The Chair and Non-Executive Directors each receive an allowance paid as part of their base fees of £8,200 and £4,750 respectively, to cover all travel and expenses related to their
roles on the Board.
2 Benefits currently include the provision to every Executive Director of private medical insurance, income protection and life assurance. Benefits also include the discount to market value
(plus savings bonus) of the SAYE option granted to Guy Ellis during the financial year.
3 Executive Directors are entitled to a Company pension contribution, which is paid into the Group defined contribution personal pension scheme. They can also opt to have the same
level of contribution made in the form of a cash contribution.
4 Annual bonus payments for performance in the relevant financial year – 35% of this bonus above £50,000 is deferred into nominal cost share options for two years. Dividend equivalents
accrue on these shares. Awards are subject to service conditions but there are no further performance conditions.
5 Long-term incentive awards vesting under the LTIP – 87,281 shares vested to Mike Maddison with respect to the LTIP granted in 2022 which had a performance period ending on
30September 2025. These have been valued using a share price of £1.45, which is the three month average share price over July, August and September 2025. These shares were
awarded based on a share price of £2.005 on the day before the date of grant. As a result, the change in share price since the date of grant has resulted in an loss in value of £48,441.
GuyEllis did not have any LTIP awards vesting during the year to 30 September 2025.
The awards made to Tim Kowalski are covered within payments to former Directors.
6 Julie Chakraverty joined the Board on 1 January 2022 and took over from Jennifer Duvalier as the designated Non-Executive Director for workforce engagement on behalf of the
Board.On 1 July 2022, Julie took over from Chris Stone as Chair of the Cyber Security Committee, and on 1 February 2023 she took over from Chris Batterham as the Senior
Independent Director.
7 Lynn Fordham was appointed to the Board on 1 September 2022 and became Chair of the Audit Committee on 1 February 2023.
8 Guy Ellis was appointed CFO on 30 June 2023.
Additional information in respect of the single total figure of remuneration
Pension and benefits
The CEO’s and CFO’s pension provisions are in line with the level of the wider workforce, which is currently 4.5% of salary. These are either paid
aspension contributions, or cash in lieu of pension.
Annual bonus (audited)
2024/25 annual bonus (audited)
For the year ended 30 September 2025, the maximum annual bonus opportunity for Mike Maddison and Guy Ellis was 125% of salary. For the
12months ended 30 September 2025, bonuses of 61.3% for the CEO and 64.8% for the CFO of maximum were payable, being £433,719 and
£260,820 respectively for Mike Maddison and Guy Ellis. In accordance with the Remuneration Policy, 35% of each payment (above £50,000) will
be deferred into nominal cost share options for two years (these shares are subject to service conditions but there are no further performance
conditions), with the remaining 65% paid in cash in December 2025. The performance measures and targets are set out below.
Financial targets – up to 60% of the annual bonus for the financial year to 30 September 2025 (audited)
Performance targets Mike Maddison Guy Ellis
Threshold
(20%)
Target
(40%)
Max.
(60%) Actual Weighting Outturn Weighting Outturn
Adjusted operating
profit
1
, target for CEO
and CFO £ 23.1m £25.6m £ 29.1m £23.7m 60% 24.8% 60% 24.8%
Strategic The strategic targets were set individually for the Executive
Directors based on key strategic objectives for the year
intheir area of responsibility – see below. 40% 36.5% 40% 40%
Total payout (% of bonus) 100% 61.3% 100% 64.8%
Bonus opportunity £707,535 £402,500
Total bonus for the year to 30 September 2025 £433,719 £260,820
Amount paid in cash (65%) £299,417 £187,033
Amount deferred in shares (35%) £134,302 £73,787
1 Adjusted operating profit – previous measure is an Alternative Performance Measure (APM) and not an IFRS measure. (See Note 3 for an explanation of APMs and adjusting items.)
Governance
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 85

Annual Report on Remuneration continued
Additional information in respect of the single total figure of remuneration continued
Annual bonus (audited) continued
Strategic targets – up to 40% of the annual bonus for the financial year to 30 September 2025 (audited)
The table below highlights the key strategic targets and achievements for each Executive Director. Bonus target ranges have been disclosed
totheextent possible, but the achievement of some areas is determined by the Committee based on its judgement of performance.
Bonus award (% of
maximum total bonus)
Year ended
30 September 2025
Target and performance conditions Outcome Weighting Outcome
CEO targets
Our clients Ensure that the organisation is better equipped to grow sales in key areas of focus. 10% 10%
Our capabilities Improve NCC Group’s revenue trajectory in agreed investment areas of our four
cybercapabilities. 7.5% 6.5%
Global delivery Ensure the successful rollout of Kantata and effective use of our global resources. 7.5% 7.5%
Differentiated brands Build profile (top of the funnel) to drive greater demand within key markets.
Drive demand within key markets to build pipeline. 5% 5%
People and operational excellence Simplify business operations and structure, globalise processes, and reducecosts.
Set up and operate during FY25 regional operating and governance/compliance
boards in all regions.
Demonstrate a commitment to improving engagement across the business
bytaking action on opportunities identified through Glint surveys.
Focus on developing a client-focused culture, driving service excellence. 5% 5%
Insight, innovation and intelligence Develop innovative services that capitalise on advances in AI, data sharing
and/orautomation, to build reputation, grow thought leadership and research
activity andimprove revenue growth and profitability. 5% 2.5%
CEO outcome 40% 36.5%
CFO targets
Our clients Ensure that we are selling and delivering work that drives improved margins. 5% 5%
Global delivery Ensure the successful rollout of Kantata and effective use of our global resources. 7.5% 7.5%
People and operational excellence Simplify business operations and structure, globalise processes, and reducecosts.
Set up and operate during FY25 regional operating and governance/compliance
boards in all regions.
Demonstrate a commitment to improving engagement across the business
bytaking action on opportunities identified through Glint surveys.
Focus on developing a client-focused culture, driving service excellence. 27. 5% 27.5%
CFO outcome 40% 40%
Remuneration Committee report continued
NCC Group plc — Annual report and accounts for the year ended 30 September 202586

Long Term Incentive Plan (LTIP) vesting (audited)
The LTIP awards made in October 2022 (with a performance period of 1 June 2022 to 30 September 2025) will vest in December 2025.
MikeMaddison was a beneficiary of these and achieved a vesting of 20% of the award of 436,408 shares, being 87,281 shares.
Executive
Number of
LTIP awards Basis Performance period
Mike Maddison 436,408 175% of base salary 1 June 2022 to 30 September 2025
The performance conditions for these awards are set out below:
Weighting Component Metric
Threshold
(15%
vesting)
Maximum
(100%
vesting)
Actual
performance
Actual %
vested Vesting basis
60% Adjusted basic
EPS – previous
measure
2,3
CAGR growth over a
threeyearperiod
6% 18% (31%) 0% Straight line between
threshold and maximum
20% Cash conversion
– previous
measure
2,4
Average cash conversion
4
ratio
– previous measure over a
three year period
80% 90% 92% 20% Straight line between
threshold and target, then
target and maximum
20% TSR TSR over three years vs FTSE
250 comparator group
(excluding investment trusts)
Median Upper
quartile
Lower
quartile
0% Straight line between
threshold and maximum
Total 20%
Long-term incentives granted during the financial year to 30 September 2025 (audited)
During the financial year to 30 September 2025, neither of the Executive Directors were granted awards.
SAYE options granted in the year ended 30 September 2025 (audited)
The Group operates an HMRC-approved SAYE scheme. All eligible colleagues, including Executive Directors, may be invited to participate on
similar terms for a fixed period of three years. During the year, Guy Ellis joined the 2025 SAYE scheme (which will mature on 1 September 2028)
and has options over 9,668 shares with an option price of £1.1387. No awards vested this year for either Executive Director.
Payments for loss of office and to past Directors (audited)
No payments were made for loss of office during the year. Tim Kowalski stepped down as CFO on 30 June 2023. The LTIP awards made in October
2022 (with a performance period of 1 June 2022–30 September 2025) will vest in December 2025. Tim Kowalski was a beneficiary of these and
achieved a vesting of 20% of the award of 97,951 shares, being 19,590 shares (the original number of shares granted was 248,857 shares which
was pro-rated for service). These awards are subject to the post-employment shareholding guideline.
Directors’ interests in shares (audited)
The tables below set out details of the Executive Directors’ outstanding share awards, which will vest in future years subject to performance
conditions and/or continued service.
Summary of maximum LTIP awards outstanding
Total LTIP
options held at
30 September
2024
1
Granted
during the
year
Exercised
during the
year
Share price
on date of
exercise
Lapsed
duringthe
year
Total LTIP
options
held at
30 September
2025
1
Mike Maddison 2,399,730 — — N/A 349,127 2,050,603
Guy Ellis 845,639 — — N/A — 845,639
1 Includes only unvested and unexercised LTIP options.
2 Adjusted basic EPS – previous measure
3
, cash conversion – previous measure
4
, and cash conversion ratio – previous measure are Alternative Performance Measures (APMs) andnot
IFRS measures. See Appendix 1 and Financial Review for an explanation of APMs and adjusting items.
3 Adjusted basic EPS – previous measure is statutory basic EPS before share-based payments, amortisation of acquired intangibles and Individually Significant Items and the tax
effectthereon.
4 Cash conversion – previous measure ratio percentage of net cash flow from operating activities before interest and tax divided by Adjusted EBITDA – previous measure.
All awards granted under the LTIP are subject to continued employment and the satisfaction of the performance conditions as set out above.
Theawards were all nil-cost options.
Governance
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 87

Annual Report on Remuneration continued
Share ownership (audited)
The beneficial and non-beneficial interests of the current Directors in the share capital of NCC Group plc at 30 September 2025 are set out below.
(Details of Executive Director shareholding requirements and achievement against these are set out below.)
Beneficial interests
inordinaryshares
1
Nil-cost options subject
toperformance
2
SAYE options
3
Deferred bonus nil-cost
options
4
Vested
butunexercised
nil-cost options Total
30 Sept
2025
30 Sept
2024
30 Sept
2025
30 Sept
2024
30 Sept
2025
30 Sept
2024
30 Sept
2025
30 Sept
2024
30 Sept
2025
30 Sept
2024
30 Sept
2025
30 Sept
2024
Chris Stone 756,195 712,843 — — — — — — — — 756,195 712,843
Mike Maddison 171,707 148,063 1,963,322 2,399,730 18,699 18,699 189,683 13 0,19 0 87,281 — 2,430,692 2,696,682
Guy Ellis 1,602 3,533 845,639 845,639 9,668 — 98,967 70,901 — — 955,876 920,073
Julie Chakraverty 63,914 63,914 — — — — — — — — 63,914 63,914
Jennifer Duvalier 19,115 19,115 — — — — — — — — 19,115 19,115
Mike Ettling 50,000 50,000 — — — — — — — — 50,000 50,000
Lynn Fordham 50,000 50,000 — — — — — — — — 50,000 50,000
1 This information includes holdings of any connected persons.
2 These awards represent the outstanding LTIP interests, included in the table above, which are due to vest after 30 September 2025.
3 Representative SAYE scheme interests, which will vest after the end of the three year savings period in 2027, or 2028.
4 Nominal cost share options granted under the deferred bonus plans, subject to a service condition, tax and National Insurance (for Guy Ellis, awards made under the Restricted Share
Plan of 9,450 shares made prior to his promotion to CFO are also included in this figure). During the year, awards were made under the Deferred Annual Bonus Schemes to the CEO
andCFO of 59,493 shares and 33,066 shares respectively, which had a face value of £81,864 and £45,500 respectively.
Following the year ended 30 September 2025, the following Directors dealt shares under the colleague HMRC approved UK Share Incentive Plan.
The number of shares traded are shown below:
•
On 17 October 2025, Mike Maddison and Guy Ellis purchased 113 and 56 shares respectively at £1.4527.
•
On 17 November 2025, Mike Maddison and Guy Ellis purchased 114 and 57 shares respectively at £1.4487.
Shareholding requirements (audited)
The Executive Directors are expected to build and retain a shareholding in the Group equivalent to at least 200% of base salary. Executives will
normally be required to retain all vested deferred bonus shares and LTIP shares released from the holding period, until they have attained the
minimum shareholding requirement and, even then, only when they have held vested LTIP shares for a minimum period of two years. Executive
Directors will also be required to retain all shares vesting from SAYE schemes. For the avoidance of doubt, Executive Directors are permitted to
sellsufficient shares in order to meet any tax obligation arising from vesting shares.
The table below sets out the Executive Directors’ shareholding requirements and achievement against these. The percentages within this table
have been calculated using a three month average share price (1 July 2025 to 30 September 2025) of £1.45, and include all unvested deferred
bonus plans on a net of tax and National Insurance basis.
Shareholding
requirements
(% of salary)
Shareholding
as at
30 September
2025
(% of salary)
Requirement
met
Mike Maddison 200% 69% No
Guy Ellis 200% 21% No
Relative importance of the spend on pay
The table below presents the percentage change in total colleague remuneration relative to total dividends (interim and final) for the current and
prior financial periods.
12 month
financial
yearto
30 September
2025
£m
16 month
financial
period to
30 September
2024
£m % change
Colleague remuneration costs
1
203.3 283.6 (28.3%)
Dividends for the period 14.5 24.3 (40.3%)
1 Based on the figure shown in Note 6 to the consolidated Financial Statements.
Remuneration Committee report continued
NCC Group plc — Annual report and accounts for the year ended 30 September 202588

Percentage change in the remuneration of Directors
The table below shows the movement in the salary or fees, benefits and annual bonus for each Director over the last five financial years compared
to the equivalent changes for all colleagues of the Company.
The comparator group for salaries and benefits is all colleagues in the UK. During the year, UK-based colleagues were provided with a medical
cash plan, along with the addition of critical illness cover. There are no employees of NCC Group plc.
The comparator group for the bonus is those in the senior management population who also have an annual scheme and excludes those on
commission and incentive plans.
Executive Directors
Year Mike Maddison (CEO) Guy Ellis (CFO) All colleagues
% increase
insalary
2024/25 2.5% 9.6% 4.67%
2023/24 (16 months) 18.6% — 7.4%
2023/24 (12 months) 16.5% — 6.7%
2022/23 — — 7. 9 %
2021/22 — — 5.1%
2020/21 — — 5.1%
% increase
inbenefits
2024/25 — — 139%
2023/24 (16 months) 950.0% — —
2023/24 (12 months) 1,000.0% — —
2022/23 — — —
2021/22 — — —
2020/21 — — —
% increase in
annual bonus
2024/25 (17.0%) 2.0% (19.0%)
2023/24 (16 months) 1,841.0% — 561.0%
2023/24 (12 months) 1,241.0% — 412.0%
2022/23 — — (89.0%)
2021/22 — — (40.0%)
2020/21 — — 1.0%
Non-Executive Directors
Non-Executive Directors do not receive benefits and are not eligible to participate in the annual bonus and therefore do not have those rows in the
table below.
Year
Chris
Stone
Julie
Chakraverty
Jennifer
Duvalier
Lynn
Fordham
Mike
Ettling
% increase
insalary
2024/25 4.7% 2.9% 3.7% 3.7% 4.4%
2023/24 (16 months) — 9.6% — 46.7% —
2023/24 (12 months) — 9.0% — 45.7% —
2022/23 3.0% 225.0% 2.0% — 2.0%
2021/22 14.0% — 29.0% — 20.0%
2020/21 (5.0%) — 2.0% — (8.0%)
The decrease and subsequent increase of NED fees in 2020/21 and 2021/22 are the results of the removal and reintroduction of the travel
allowance and a review of NED fee levels. The travel allowance was removed in 2020/21 due to the lower levels of travel resulting from the reaction
to the pandemic and then was reintroduced in 2021/22. The combination of these factors results in changes which are not reflective of changes
toNED fee levels. The changes are also affected by the comparison of fees for a full year to fees for a part year when a Director joins or leaves.
Theincrease for the CEO’s / CFO’s salary has been explained within the Committee Chair’s opening statement.
The significant increase in CEO bonus in 2023/24 from the previous year was caused by the 2022/23 bonus paying out at a very low level, with
the2023/24 bonus being paid out at a much higher level. For the 2023/24 16 month comparison, this has been annualised to provide a meaningful
comparison to the prior year.
To note that for the 2022/23 year, Mike Maddison (CEO) joined on 7 July 2022 hence the 2022/23 year is not a full year for comparison purposes.
To note that for the 2023/24 year, Guy Ellis (CFO) was appointed on 30 June 2023 hence the 2023/24 period is not a full year for comparison
purposes and there is no prior year comparator.
The increase to the CFO’s salary above the average increase to colleagues during the year has been explained earlier in the Chair’s introductory letter.
Governance
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 89

Annual Report on Remuneration continued
Chief Executive pay compared to pay of UK colleagues
The following table shows the ratio between the single total figure of remuneration (STFR) of the Chief Executive for 2024/25 and the lower quartile,
median and upper quartile pay of our UK colleagues. The salary and total pay and benefits for the lower quartile, median and upper quartile
colleagues are also shown.
Total pay ratio
Financial year Method
25th
percentile
pay ratio
50th
percentile
pay ratio
75th
percentile
pay ratio
2019/20 Option B 18:1 12:1 8:1
2020/21 Option B 27:1 18:1 11:1
2020/21 Option C 26:1 16:1 12:1
2021/22 Option C 23:1 14:1 10:1
2022/23 Option C 22:1 14:1 10:1
2023/24 Option C 25:1 16:1 11:1
2023/24 (16 months) Option C 26:1 17:1 11:1
2024/25 Option C 22:1 15:1 9:1
Financial year to 30 September 2025
Mike Maddison,
CEO
25th
percentile
50th
percentile
75th
percentile
Salary (£000) 566 45 69 68
Total pay and benefits (£000) 1,16 0 52 79 122
CEO pay ratio
The CEO pay ratio has been calculated using Option C, which we deem the most appropriate methodology for NCC Group. Under Option C,
wehave used the most recent P60 information (for the 2024/25 tax year) to determine the relevant colleague at the 25th, 50th and 75th percentile.
As such the data was correct as of 5 April 2025. As in prior years, we have omitted joiners and leavers from the data to ensure that the data is on
alike-for-like basis. This option was chosen in preference to the other possibilities as it uses the most accurate and comprehensive data currently
available and provides a fair reflection of the total pay received by colleagues. We are satisfied that the applicable colleagues chosen are a fair
representation of the workforce.
The CEO pay ratio has marginally decreased due to the following reasons: the CEO had a lower than workforce average pay increase for the
reasons explained within the Committee Chair’s opening statement, the business adopted a real living wage approach, and is also considering
joining the “Living Wage Foundation”, and the pay review philosophy this year was to focus on lower paid colleagues more affected by the continued
cost of living pressures.
The pay ratio is consistent with the pay, reward and progression policies currently in place at NCC Group.
Performance graph and table
The following graph shows the total shareholder return, with dividends reinvested, from 1 October 2015 against the corresponding changes
inahypothetical holding in shares in both the FTSE All Share and FTSE 250 Indices.
The FTSE All Share and FTSE 250 Indices represent broad equity indices. The Company is a constituent member of the FTSE 250 and FTSE
AllShare Index and the Committee has adopted the FTSE 250 Index for part of its LTIP performance measure. Both indices give a market
capitalisation-based perspective.
During the financial year ended 30 September 2025, the Company’s share price varied between £1.27 and £1.73 and ended the financial year
at£1.48.
Ten year historical TSR performance is the growth in the value of a hypothetical £100 holding over ten years. It has been calculated for NCC Group
plc and the FTSE All Share, FTSE 250 and FTSE Small Cap Indices (excluding investment trusts) based on spot values.
250
200
100
150
50
0
2016 20172015 2018 2019 2020 2021 2022 2023 2024 2025
£100
£121
£73
£63
£64
£93
£79
£65
£43
£54
£79
Value (£)
NCC Group plcFTSE All Share IndexFTSE 250 (excluding investment trusts)FTSE Small Cap (excluding investment trusts)
The share price was £1.73 on 1 October 2024 and £1.48 on 30 September 2025.
Remuneration Committee report continued
NCC Group plc — Annual report and accounts for the year ended 30 September 202590

The table below shows the total remuneration for the Chief Executive over the same ten year period, including share awards valued at the date
theyvested.
Period ended
1,2,3,4
Incumbent
Total remuneration
£000
Annual bonus
% of maximum
5
Long-term incentives
% of maximum
6
30 September 2025 Mike Maddison 1,16 0 61 20
31 May/30 September 2024 Mike Maddison 1,081/1,513 80/100 —
31 May 2023
1
Mike Maddison 1,005 7.5 —
31 May 2023
2
Adam Palser 26 — 30
31 May 2022 Adam Palser 1,081 60 59
31 May 2021 Adam Palser 1,110 92 40
31 May 2020 Adam Palser 861 23 52
31 May 2019 Adam Palser 679 48 —
31 May 2018
3
Adam Palser 292
3
32 —
31 May 2018
4
Brian Tenner 257
4
32 —
31 May 2017 Rob Cotton 610 — —
31 May 2016 Rob Cotton 1,091 70 20
1 Mike Maddison was appointed on 7 July 2022. The amount above is in respect of the period from 7 July 2022 to 31 May 2023. Mike Maddison was not eligible for long-term incentives
vesting in 2023 and 2024. However, LTIP awards vested at 30% and 30% in 2023 and 2024 respectively.
2 Adam Palser stepped down from the Board on 17 June 2022. The amount above is in respect of the period from 1 June 2022 to 17 June 2022.
3 Adam Palser was appointed on 1 December 2017. The total remuneration figure above is in respect of the period from 1 December 2017 to 31 May 2018.
4 During the year ended 31 May 2018, Brian Tenner acted as Interim Chief Executive Officer for the period 1 June 2017 to 30 November 2017. The total remuneration figure above
isthetotal remuneration received in relation to that six month period.
5 Note that this shows the annual bonus payments as a percentage of the maximum opportunity. (For 2024, 80% relates to the 12 months to 31 May 2024, and 100% relates to the
fourmonths to 30 September 2024. Two figures are shown due to the change in financial year end and the 16 month financial period.)
6 This shows the LTIP vesting level as a percentage of the maximum opportunity.
Membership and attendance
The Remuneration Committee membership consists solely of Non-Executive Directors and comprises Jennifer Duvalier, Julie Chakraverty
andLynnFordham.
The Company Chair, Chief Executive Officer, SVP, Group Finance, Chief People Officer, Director of Reward and Benefits and Company Secretary
attend the Remuneration Committee meetings by invitation of the Chair of the Committee from time to time and assist the Committee with its
considerations. No Director is involved in setting their personal remuneration.
The attendance of individual Committee members at Remuneration Committee meetings is shown within the table on page 65.
Committee effectiveness
For the reasons described in the Chair’s Introduction to Governance, no Board or Committee evaluation was carried out during the year.
Further information can be found on page 68
Adviser to the Committee
During the year, the Committee received advice on senior executive remuneration from Mercer and was comfortable that the advice was objective
and independent. Mercer was appointed via an open tender process. Mercer is a founding member of the Remuneration Consultants Group and is
a signatory to its Code of Conduct. The total fee charged in 2024/25 for providing advice in relation to executive remuneration was £75,364 with
fees being determined on a time and expenses basis.
Service contracts and letters of appointment
The service contracts and letters of appointment of the current Directors include the following terms:
Date of contract Notice period
Executive
Mike Maddison 28 April 2022 12 months
Guy Ellis 30 June 2023 12 months
Non-Executive
Chris Stone 31 March 2017 3 months
Julie Chakraverty 27 October 2021 3 months
Jennifer Duvalier 25 April 2018 3 months
Mike Ettling 21 September 2017 3 months
Lynn Fordham 19 July 2022 3 months
Governance
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 91

Annual Report on Remuneration continued
How will the Remuneration Policy be implemented in the year ending 30 September 2026?
Executive Directors’ base salaries
Increases were made to the base salaries of both Executive Directors for the year ended 30 September 2025. The table below details the Executive
Directors’ salaries as at 30 September 2025 and salaries which are in force on 1 October 2025, with the next review of salaries taking place during
the year ending 30 September 2026, in line with the wider workforce.
Base salary
at 30
September
2025
£000
Base salary
at 1 October
2025
£000 % change
Chief Executive Officer – Mike Maddison 575 575 0%
Chief Financial Officer – Guy Ellis 342 375 9.6%
Pension
Pensions will remain aligned with the level for other colleagues.
Annual bonus
The annual bonus maximum in 2025/26 will be 125% of salary for the Chief Executive Officer and 125% for the Chief Financial Officer, with
60%based on the achievement of Adjusted operating profit targets and 40% based on the achievement of strategic targets. These targets are
commercially sensitive and will be disclosed in the next Annual Report.
Awards will also be subject to the Committee’s assessment of the overall financial health of the business.
In addition, to ensure that this bonus opportunity results in shareholder alignment and provides greater retention value, 35% of any bonus payment
will be deferred into nominal cost share options over £50,000 for a period of two years.
The bonus, nominal cost share options and associated dividend equivalents are also subject to malus and clawback provisions.
Long Term Incentive Plan (LTIP)
LTIP awards were granted in June 2024, and no further awards were made under the LTIP scheme for the year ended 30 September 2025, with the
next round of LTIP awards expected to be made in December 2025/January 2026 during the financial year ending 30 September 2026, which will
be for performance period 1 October 2025 to 30 September 2028.
Non-Executive Directors’ fees
In line with the current policy, Non-Executive Director fees are reviewed annually. The last increase to Non-Executive Director fees was applied on
1June 2022. During the financial year ended 30 September 2025, a review was carried out of Non-Executive Directors’ fees and the decision was
taken to increase them by 5%, effective 1 October 2024. Fees will be reviewed again in the financial year ending 30 September 2026:
FY26 FY25
Chair fee (excluding travel allowance of £8,200) £166,280 £162,225
Non-Executive Director base fee (excluding travel allowance of £4,750) £54,000 £54,000
Supplemental fees for additional responsibilities:
SID £10,000 £10,000
Audit Committee Chair £11,000 £11,000
Remuneration Committee Chair £11,000 £11,000
Cyber Security Committee Chair £8,000 £8,000
Designated NED for workforce engagement £11,000 £11,000
Remuneration Committee report continued
NCC Group plc — Annual report and accounts for the year ended 30 September 202592

Statement of shareholder voting
The following votes were received from the shareholders in respect of the Directors’ Remuneration Report and in respect of the Remuneration Policy:
Remuneration Report
(2025 AGM)
Remuneration Policy
(2025 AGM)
Total number of votes % of votes cast Total number of votes % of votes cast
For
1
165,819,347 80.33 219,536,691 89.61
Against 40,605,441 19.67 25,454,793 10.39
Total votes cast (for and against excluding
withheldvotes)
206,424,788 244,991,484
Votes withheld
2
43,886,409 5,319,714
Total votes cast (including withheld votes) 250,311,197 250,311,198
1 Includes Chair’s discretionary votes.
2 A vote withheld is not a vote in law and is not counted in the calculation of the proportion of votes cast “for” and “against” a resolution.
Approved by the Board and signed on its behalf:
Jennifer Duvalier
Chair, Remuneration Committee
11 December 2025
Governance
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 93

The Directors present their report and the audited Group and Company
Financial Statements of NCC Group plc (the “Company”) and its
subsidiaries (together, the “Group”) for the financial year ended
30September 2025.
Principal activities
The Company is a public limited company incorporated in England,
registered number 4627044, with its registered office at XYZ Building,
2 Hardman Boulevard, Spinningfields, Manchester M3 3AQ.
The principal activity of the Group is the provision of independent
advice and services to customers through the provision of software
resilience and Cyber Security services. The principal activity of the
Company is that of a holding company.
Going concern
At the time of approving the Financial Statements, the Board of Directors
is required to formally assess that the business has adequate resources
to continue in operational existence and as such can continue to adopt
the “going concern” basis of accounting.
To support this assessment, the Board is required to consider the
Group’s current financial position, its strategy, the market outlook, and
its principal risks. The Group’s business activities, together with the
factors likely to affect its future development, performance and position,
are set out in the Business Review and Financial Review. The Group’s
financial position, cash and borrowing facilities are also described
within these sections.
The Financial Statements have been prepared on a going concern basis
which the Directors consider to be appropriate for the following reasons.
The Directors have prepared cash flow and covenant compliance
forecasts for 12 months from the date of approval of the Financial
Statements which indicate that, taking account of severe but plausible
downsides on the operations of the Group and its financial resources,
the Group will have sufficient funds to meet its liabilities as they fall due
for that period.
The going concern period is required to cover a period of at least
12months from the date of approval of the Financial Statements and
the Directors still consider this 12 month period to be an appropriate
assessment period due to the Group’s financial position and trading
performance and that its current borrowing facilities do not expire until
April 2029 (following the Group successfully refinancing in April 2025
– see below and Note 22). The Directors have considered whether
there are any significant events beyond the 12 month period which
would suggest this period should be longer but have not identified
anysuch conditions or events.
In April 2025, the Group refinanced its borrowing arrangements by
entering into a new four year £120m multi-currency revolving credit
facility (RCF), with an uncommitted £50m accordion option. This new
unsecured facility replaces the previous £162.5m RCF (which was
inexistence as at 30 September 2024), which was due to expire in
December 2026 and included an uncommitted accordion option of
upto £75m. The uncommitted accordion option has not been included
in the Group’s going concern assessment as it remains subject to lender
approval and is therefore not guaranteed at the date of approval of
these Financial Statements.
As of 30 September 2025, net cash (excluding lease liabilities) was
£13.1m, comprising cash and cash equivalents of £16.4 m, a bank
overdraft of £nil, and a drawn revolving credit facility of £5.2m (excluding
£1.9 m of unamortised borrowing fees). The Group also had £114.8 m
of undrawn committed facilities, excluding an uncommitted accordion
facility of £50.0 m. The Group’s day-to-day working capital requirements
are met through existing cash resources, the revolving credit facility and
receipts from its continuing business activities. The Group is required
tocomply with financial covenants for leverage (net debt to Adjusted
EBITDA)
1
and interest cover (Adjusted EBITDA
1
tointerest charge) that
are tested biannually on 31 March and 30September each year.
As of 30 September 2025, leverage amounted to 0.0x and net
interestcover amounted to 8.1x compared to a maximum of 3.0x and
aminimum of 3.5x respectively. The terms and ratios are specifically
defined in the Group’s banking documents (in line with normal commercial
practice) and are materially similar to amounts noted in these Financial
Statements with the exceptions being net debt which excludes IFRS 16
lease liabilities and Adjusted EBITDA
1
. The Group was in compliance
with the terms of all its facilities during the year, including the financial
covenants on 30 September 2025, and, based on forecasts, expects
toremain in compliance over the going concern period. In addition,
theGroup has not sought or is not planning to seek any waivers to its
financial covenants noted above.
Management has performed base case modelling derived from the
FY26 Board-approved budget and forecasts beyond this budgeted
period, reflecting scenarios both with and without the potential disposal
of its Escode business (incorporating any associated impact on the
Group’s banking facilities and expected net cash position). In addition,
management has prepared forecasts reflecting severe but plausible
downside scenarios, considering the principal risks faced by the Group,
such as the loss of key customers and further reductions in the Group’s
Technical Assurance Services (‘TAS’) Cyber business. These forecasts,
including all scenarios modelled, have been reviewed by the Directors,
support their expectation that the Group will operate within its available
committed banking facilities and meet its liabilities as they fall due
throughout the assessment period. The assumptions underpinning
these forecasts (and severe yet plausible downside scenarios) are set
out in more detail in the Viability Statement on pages 38 and 39.
Having reviewed the current trading performance, forecasts, debt
servicing requirements, total facilities and risks, the Directors are confident
that the Group will have sufficient funds to meet its liabilities as they
falldue for a period of at least 12 months from the date of approval of
Financial Statements. This period is referred to as the going concern
period. Accordingly, the Directors continue to adopt the going concern
basis of accounting in preparing the Group’s Financial Statements for
the year ended 30 September 2025.
Directors’ report
1 Revenue at constant currency, Adjusted EBITDA and net debt excluding lease liabilities are Alternative Performance Measures (APMs) and not IFRS measures. See Appendix 1 for
anexplanation of APMs and adjusting items, including a reconciliation to statutory information.
NCC Group plc — Annual report and accounts for the year ended 30 September 202594

Additionally, the Group remains in the early stages of reviewing a
number of strategic options for its Cyber business, however no decision
has been made on which option will be pursued as of 11 December 2025.
Accordingly, no material uncertainties have been identified that would
cast significant doubt on the Group’s ability to continue as a going
concern in relation to this ongoing process.
From a Company perspective, the Company places reliance on other
Group trading entities for financial support. The Company controls
these Group entities and therefore has the ability to direct the financial
activities of the Group. Having reviewed the current trading performance,
forecasts, debt servicing requirements, total facilities and risks, the
Directors are confident that the Company and the Group will have
sufficient funds to continue to meet their liabilities as they fall due for a
period of at least 12 months from the date of approval of these consolidated
Financial Statements, which is determined as the going concern period.
Accordingly, the Directors continue to adopt the going concern basis of
accounting in preparing the Group’s Financial Statements for the year
ended 30 September 2025.
There are no post-Balance Sheet events which the Directors believe
will negatively impact the going concern assessment.
Results and dividends
The Group’s and Company’s audited Financial Statements for the
financial year ended 30 September 2025 are set out on pages 104 to 158.
The Directors propose a final dividend of 3.15p per ordinary share,
which, together with the interim dividend of 1.5p per ordinary share
paid on 1 August 2025, makes a total dividend of 4.65p for the year
ended 30 September 2025.
The final dividend will be paid on 10 April 2026, subject to approval at
the AGM on 3 March 2026, to shareholders on the register at the close
of business on 13 March 2026. The ex-dividend date is 12 March 2026.
Share capital and control
At the AGM held on 28 January 2025, the Directors were granted
authority to allot up to 104,913,324 ordinary shares representing
approximately one-third of the Company’s issued share capital.
Inaddition, the Directors were granted authority to allot a further
104,913,324 ordinary shares, again representing approximately
one-third of the Company’s issued share capital, solely to be used
inconnection with a pre-emptive rights issue.
As at 30 September 2025, the Company’s issued ordinary share capital
comprised 315,006,079 ordinary shares with a nominal value of 1p each.
During the financial year ended 30 September 2025, 481,449 shares
inthe Company were issued further to the exercise of options pursuant
to the Company’s share option schemes.
The holders of ordinary shares are entitled, among other rights, to
receive the Company’s Annual Reports and Accounts, to attend and
speak at general meetings of the Company, to appoint proxies and
toexercise voting rights.
Details of the movements of the called up share capital of the Company
are set out in Note 25 to the Financial Statements and the information
inthis note is incorporated by reference and forms part of this
Directors’Report.
All rights and obligations attaching to the Company’s ordinary shares
are set out in the Company’s Articles of Association (the “Articles”),
copies of which can be obtained from the Companies House website or
by writing to the Company Secretary. Unless otherwise provided in the
Articles, the terms of issue of any shares, any restrictions from time to
time imposed by laws or regulations (for example insider trading laws)
or pursuant to the UK Market Abuse Regulation whereby certain Directors,
officers and colleagues of the Group require the approval of the
Company to deal in ordinary shares of the Company, any shareholder
may transfer any or all of their shares.
The Company is not aware of any agreements between shareholders
that may result in restrictions on the transfer of securities and/or
votingrights.
The Directors may refuse to register a transfer of shares in certificated
form that are not fully paid up or otherwise in accordance with the Articles.
Authority to purchase own shares
At the AGM held on 28 January 2025, shareholders authorised the
Company to make market purchases of up to 31,473,997 ordinary
shares representing approximately 10% of the issued share capital.
Atthe 2026 AGM, shareholders will be asked to give a similar authority.
During the year, the Employee Benefit Trust purchased 4m shares in
connection with the Company’s employee share plans.
Directors
Biographical details of the Company’s current Directors are set out on
pages 62 and 63 together with the names of Directors that have held
office during the year. Subject to law and the Company’s Articles of
Association, the Directors may exercise all of the powers of the Company
and may delegate their power and discretion to Committees.
The Company’s Articles of Association give the Directors power to
appoint and replace Directors. Under the terms of reference of the
Nomination Committee, any appointment to the Board of the Company
must be recommended by the Nomination Committee for approval by
the Board. The Articles of Association also require one-third of the
Directors to retire by rotation each year end and each Director must
offer themselves for re-election at least every three years. However, in
accordance with previous years and in accordance with best practice,
all Directors will submit themselves for re-election at the AGM each
year. During the year, no Director had any material interest in any
contract of significance in the Group’s business.
Offer period
On 16 July 2025, the Company confirmed that it is in the early stages
ofcommencing a review of all strategic options for its Cyber business
(Cyber Review) and that such Cyber Review includes a range of potential
outcomes including potential offers for the entire issued and to be issued
share capital of the Company (Announcement). The Company gave
notice, in accordance with Rule 2.11 of the City Code on Takeovers and
Mergers (Code), that it was in an ‘Offer Period’ pursuant to the Code.
At the time of approval of these Accounts, the Company remains in this
Offer Period.
Governance
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 95

Directors’ and Officers’ insurance and indemnities
The Company maintains Directors’ and Officers’ liability insurance,
which provides appropriate cover for any legal action brought against
its Directors (including those who served as Directors or Officers
during 2024/25). This cover was in place throughout the financial
yearended 30 September 2025 and up to the date of this Directors’
Report. The Directors of the Company have also entered into individual
deedsof indemnity with the Company which constitute as qualifying
third-party indemnity provisions for the purposes of section 234 of
theCompanies Act 2006.
The deeds were in effect during the course of the financial year ended
30September 2025 for the benefit of the Directors and, at the date
ofthis report, are in force for the benefit of the Directors in relation to
certain losses and liabilities which they may incur (or have incurred)
inconnection with their duties, powers or office.
Colleagues
The Group uses a number of ways to engage with its colleagues on
matters that impact them and the performance of the Group. These
include briefings by members of the Executive Committee, regular team
meetings, the Group’s intranet site, global communications and update
emails which together provide, among other information, an awareness of
the financial and economic factors affecting the Company’s performance.
Further information on how the Directors engage with colleagues along
with how colleague interests are taken into account during decision
making can be found within the Corporate Governance Report on
pages 58 to 70. We also conduct colleague engagement surveys to
ensure all colleagues are given a voice in the organisation.
We offer colleagues the opportunity to purchase ordinary shares in
theCompany through participation in either the Company’s Save As
You Earn (SAYE) scheme or Employee Stock Purchase Plan (ESPP).
Colleagues in the UK also have the opportunity to purchases shares
through a Share Incentive Plan (SIP). All these schemes help to
encourage colleague interest in the performance of the Group.
Business relationships with suppliers, customers
andothers
The Directors have summarised how they have fostered the Company’s
business relationships with suppliers, customers and others on pages 14
and 15. In addition, on page 65 the Directors have included the principal
decisions taken by the Company during the financial year.
Equal opportunities
The Group is committed to providing equality of opportunity to all colleagues
without discrimination and applies fair and equitable employment policies
which seek to promote entry into and progression within the Group.
Appointments are determined solely by application of job criteria,
personal ability, behaviour and competency.
In the opinion of the Directors, all colleague policies are deemed to
beeffective and in accordance with their intended aims.
Disabled persons
Disabled persons have equal opportunities when applying for vacancies,
with due regard to their aptitudes and abilities. Procedures ensure that
disabled colleagues are fairly treated in respect of training and career
development. For those colleagues becoming disabled during the course
of their employment, the Group is supportive so as to provide an opportunity
for them to remain with the Group, wherever reasonably practicable.
Political donations and expenditure
NCC Group believes in the rights of individuals to engage in the
democratic process; however, it is NCC Group’s policy not to make
political donations. There were no political donations made or political
expenditure incurred during the financial year ended 30September2025.
To be clear, it is not the Company’s policy to make political donations,
the Company has not made a political donation in the past, and the
Company has no intention either now or in the future of changing its
policy or making any political donation or incurring any political
expenditure in respect of any political party, political organisation or
independent election candidate. The resolution is put forward to allow
the Company to support the community and put forward its views to
wider business and government entities without running the risk of
being in inadvertent breach of the law.
Sustainability Report
The Company’s Sustainability Report provides an update on the
Group’s policies and activities in respect of its wider stakeholders,
including colleagues; community, environmental, ethical and health
andsafety issues; and modern slavery.
Overseas branches
As at 30 September 2025, the Group had no overseas branches.
Research and development
We are committed to using innovative, cost effective and practical
solutions for providing high quality services and we recognise the
importance of ensuring that we focus our investment on the development
of technology. The Group’s research and development expenditure is
predominantly associated with computer and softwaresystems.
Change of control
In the event of a change of control of the Company, the Group and each
of its lenders shall enter into negotiation for a period to determine how
the Group’s loan facilities may continue and if after negotiation there is
no agreement the lender has the right to cancel the commitment.
There are no agreements between the Company and its Directors or
colleagues providing for compensation for loss of office or employment
(whether through resignation, purported redundancy or otherwise) that
occurs because of a takeover bid.
Disclosure of information to the auditor
The Directors who held office at the date of approval of this Directors’
Report confirm that, so far as they are each aware, there is no relevant
audit information of which the Company’s auditor is unaware; and each
Director has taken all the steps that they ought to have taken as a
Director to make themselves aware of any relevant audit information
and to establish that the Company’s auditor is aware of that information.
Reappointment of auditor
In accordance with section 489 of the Companies Act 2006, a
resolution for the reappointment of PricewaterhouseCoopers LLP (PwC)
as auditor of the Company is to be proposed at the forthcoming AGM.
Directors’ report continued
NCC Group plc — Annual report and accounts for the year ended 30 September 202596

AGM
The Notice of the Company’s AGM to be held at 1pm on 3 March 2026 at
XYZ Building, 2 Hardman Boulevard, Spinningfields, Manchester M3 3AQ,
along with details of the business to be proposed and explanatory notes,
will be available on the Group’s website together with the Annual Report
and Accounts. All shareholders will be notified by post or email, at their
request, when the documents have been made available.
The Board recognises that the AGM provides an important opportunity
to engage with shareholders. Therefore, the Company will ensure that
shareholders can submit any questions in writing prior to the AGM as
outlined in the Notice of AGM.
The result of the poll vote will be made available as soon as possible
after the meeting on our website.
Capitalised interest
During the year, no interest was capitalised by the Group (2024: £nil).
The tax benefit on this amount was £nil (2024: £nil).
Reporting requirements
The following sets out the location of additional information forming
partof the Directors’ Report, which is incorporated by reference into
this report:
Reporting requirement Location
Board’s assessment of the Group’s internal control systems Corporate Governance Report on page 69 and Audit Committee Report
on page 74
Details of uses of financial instruments and specific policies
formanaging financial risk
Note 23 (Financial Instruments) on pages 144 to 147
Directors’ interests Remuneration Committee Report on page 88
Directors’ Responsibilities Statement Directors’ Responsibilities Statement on page 98
Directors’ remuneration including disclosures required by Schedule
5 and Schedule 8 of SI2008/410 – Large and Medium-sized
Companies and Groups (Accounts and Reports) Regulations 2008
Remuneration Committee Report on pages 81 to 93
DTR 4.1.8.R – Management Report – the Directors’ Report
andStrategic Report comprise the Management Report
Directors’ Report on pages 94 to 97 and Strategic Report on pages 1 to 57
Going Concern Statement Directors’ Report on pages 94 and 95 and Going Concern section within
Note 1 on pages 111 and 112
Greenhouse gas emissions and energy consumption TCFD Report on pages 22 to 27
Likely future developments of the business and Group Strategic Report on pages 1 to 57
LR 9.8.4 (4) – Long-term incentive schemes Remuneration Committee Report on pages 81 to 93
LR 9.8.6 (2) – Substantial shareholders Shareholder Engagement section of Corporate Governance Report
onpage 70
Statement on corporate governance Corporate Governance Report, Audit Committee Report, Nomination
Committee Report and Remuneration Committee Report on pages 58
to93. Statement of compliance with the UK Corporate Governance Code
is on page 60
Strategic Report – Companies Act 2006 section 414A–D Strategic Report on pages 1 to 57
The Strategic Report on pages 1 to 57 and this Directors’ Report on pages 94 to 97 have been approved and authorised for issue by the Board.
They were signed on its behalf by:
Mike Maddison Guy Ellis
Chief Executive Officer Chief Financial Officer
11 December 2025 11 December 2025
Governance
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 97

Directors’ responsibilities statement
Statement of Directors’ responsibilities in respect
ofthe Financial Statements
The Directors are responsible for preparing the Annual Report and the
Financial Statements in accordance with applicable law and regulation.
Company law requires the Directors to prepare Financial Statements
foreach financial year. Under that law the Directors have prepared the
Group Financial Statements in accordance with UK-adopted International
Accounting Standards and the Company Financial Statements in
accordance with United Kingdom Generally Accepted Accounting
Practice (United Kingdom Accounting Standards, comprising FRS 101
‘Reduced Disclosure Framework’, and applicable law).
Under company law, Directors must not approve the Financial
Statements unless they are satisfied that they give a true and fair view
of the state of affairs of the Group and Company and of the profit or
loss of the Group for that period. In preparing the Financial Statements,
the Directors are required to:
•
Select suitable accounting policies and then apply them consistently
•
State whether applicable UK-adopted International Accounting
Standards have been followed for the Group Financial Statements
andUnited Kingdom Accounting Standards, comprising FRS 101,
have been followed for the Company Financial Statements, subject
toany material departures disclosed and explained in the
FinancialStatements
•
Make judgements and accounting estimates that are reasonable
andprudent
•
Prepare the Financial Statements on the going concern basis unless
itis inappropriate to presume that the Group and Company will
continue in business
The Directors are responsible for safeguarding the assets of the Group
and Company and hence for taking reasonable steps for the prevention
and detection of fraud and other irregularities.
The Directors are also responsible for keeping adequate accounting
records that are sufficient to show and explain the Group’s and Company’s
transactions and disclose with reasonable accuracy at any time the
financial position of the Group and Company and enable them to
ensure that the Financial Statements and the Directors’ Remuneration
Report comply with the Companies Act 2006.
The Directors are responsible for the maintenance and integrity of the
Company’s website. Legislation in the United Kingdom governing the
preparation and dissemination of financial statements may differ from
legislation in other jurisdictions.
Directors’ confirmations
The Directors consider that the Annual Report and Accounts, taken
asawhole, is fair, balanced and understandable and provides the
information necessary for shareholders to assess the Group’s and
Company’s position and performance, business model and strategy.
Each of the Directors, whose names and functions are listed in the
Board ofDirectors section of this report, confirms that, to the best of
their knowledge:
•
The Group Financial Statements, which have been prepared in
accordance with UK-adopted International Accounting Standards,
give a true and fair view of the assets, liabilities, financial position
andprofit of the Group
•
The Company Financial Statements, which have been prepared in
accordance with United Kingdom Accounting Standards, comprising
FRS 101, give a true and fair view of the assets, liabilities and
financial position of the Company
•
The Strategic Report includes a fair review of the development
andperformance of the business and the position of the Group
andCompany, together with a description of the principal risks
anduncertainties that they face
In the case of each Director in office at the date the Directors’ Report
isapproved:
•
So far as the Director is aware, there is no relevant audit information
of which the Group’s and Company’s auditor is unaware
•
They have taken all the steps that they ought to have taken as a
Director in order to make themselves aware of any relevant audit
information and to establish that the Group’s and Company’s auditor
is aware of that information
For and on behalf of the Board
Mike Maddison Guy Ellis
Chief Executive Officer Chief Financial Officer
11 December 2025 11 December 2025
NCC Group plc — Annual report and accounts for the year ended 30 September 202598

Independent auditors’ report
to the members of NCC Group plc
Report on the audit of the
financialstatements
Opinion
In our opinion:
•
NCC Group plc’s group financial statements and company financial
statements (the “financial statements”) give a true and fair view of
the state of the group’s and of the company’s affairs as at
30 September 2025 and of the group’s profit and the group’s cash
flows for the year then ended;
•
the group financial statements have been properly prepared in
accordance with UK-adopted international accounting standards as
applied in accordance with the provisions of the Companies Act
2006;
•
the company financial statements have been properly prepared in
accordance with United Kingdom Generally Accepted Accounting
Practice (United Kingdom Accounting Standards, including FRS 101
“Reduced Disclosure Framework”, and applicable law); and
•
the financial statements have been prepared in accordance with the
requirements of the Companies Act 2006.
We have audited the financial statements, included within the Annual
report and accounts (the “Annual Report”), which comprise: the
Consolidated and Company balance sheets as at 30September2025;
the Consolidated income statement, the Consolidated statement of
comprehensive income, the Consolidated cash flow statement and the
Consolidated and Company statements of changes in equity for the year
then ended; and the notes to the financial statements, comprising
material accounting policy information and other explanatory information.
Our opinion is consistent with our reporting to the Audit Committee.
Basis for opinion
We conducted our audit in accordance with International Standards on
Auditing (UK) (“ISAs (UK)”) and applicable law. Our responsibilities
under ISAs (UK) are further described in the Auditors’ responsibilities
for the audit of the financial statements section of our report. We
believe that the audit evidence we have obtained is sufficient and
appropriate to provide a basis for our opinion.
Independence
We remained independent of the group in accordance with the ethical
requirements that are relevant to our audit of the financial statements in
the UK, which includes the FRC’s Ethical Standard, as applicable to
listed public interest entities, and we have fulfilled our other ethical
responsibilities in accordance with these requirements.
To the best of our knowledge and belief, we declare that non-audit
services prohibited by the FRC’s Ethical Standard were not provided.
Other than those disclosed in Audit Committee report, we have
provided no non-audit services to the company or its controlled
undertakings in the period under audit.
Our audit approach
Overview
Audit scope
•
The group is organised into 52 management reporting units. The
group financial statements are a consolidation of these reporting
units and its centralised consolidation adjustments.
•
Of the 52 reporting units, we identified one reporting unit which, in
our view, required an audit of its complete financial information. We
also identified further seven management reporting units that
required specific audit procedures to be performed over selected
financial statement line items. We also performed audit procedures
over the consolidation adjustments.
•
The entities where we conducted audit work, together with audit
work performed at the consolidated level, accounted for
approximately 87% (2024: 91%) of the group’s total revenue.
•
For the remaining 44 management reporting units which were not
subject to further audit procedures, we performed analytical
procedures over 10 of these reporting units to respond to any
potential risks of material misstatement in the group financial
statements. The remaining 34 reporting units were considered to be
inconsequential for the group’s financial statements.
•
Included within above are the management reporting units relating to
the group’s Escode business, which has been reclassified as held for
sale and presented as a discontinued operation. Our audit scope
included performing specific audit procedures relating to the
presentation of the Escode business, including Escode specific
consolidation adjustments.
Key audit matters
•
Recoverability of goodwill in UK and APAC Cyber Security cash
generating unit (group)
•
Recoverability of Investments in subsidiary undertakings (parent)
Materiality
•
Overall group materiality: £3,000,000 (2024: 3,200,000) based on
1% of total revenue (including discontinued operations).
•
Overall company materiality: £3,200,000 (2024: £3,400,000) based
on 1% of total assets.
•
Performance materiality: £2,250,000 (2024: 2,400,000) (group) and
2,400,0000 (2024: 2,500,000) (company).
The scope of our audit
As part of designing our audit, we determined materiality and assessed
the risks of material misstatement in the financial statements.
Key audit matters
Key audit matters are those matters that, in the auditors’ professional
judgement, were of most significance in the audit of the financial
statements of the current period and include the most significant
assessed risks of material misstatement (whether or not due to fraud)
identified by the auditors, including those which had the greatest effect
on: the overall audit strategy; the allocation of resources in the audit;
and directing the efforts of the engagement team. These matters, and
any comments we make on the results of our procedures thereon, were
addressed in the context of our audit of the financial statements as a
whole, and in forming our opinion thereon, and we do not provide a
separate opinion on these matters.
This is not a complete list of all risks identified by our audit.
Recoverability of goodwill in UK and APAC Cyber Security cash
generating unit is a new key audit matter this year. Recoverability of
goodwill in North America Cyber Security cash generating unit, which
was a key audit matter last year, is no longer included because of the
goodwill relating to the cash generating unit was fully impaired in the
previous year. Otherwise, the key audit matters below are consistent
with last year.
Financial statements
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 99

Independent auditors’ report continued
to the members of NCC Group plc
Report on the audit of the financialstatements continued
Our audit approach continued
Key audit matters continued
Key audit matter How our audit addressed the key audit matter
Recoverability of goodwill in UK and APAC Cyber
Security cash generating unit (group)
Refer to notes 2 and 11 in the group financial statements. The carrying
value of goodwill at 30 September 2025 is £46.3m (2024: £156.5m).
Goodwill of £44.3 million (2024: £44.3 million) is allocated to the UK
andAPAC Cyber Security CGU.
The group’s CGUs are assessed for impairment annually or more
frequently if indicators of impairment have been identified. The
performance of these impairment reviews require determining the
recoverable amounts of the CGUs and comparing these calculations
against the carrying values of the groups CGUs.
The fair value less cost to sell (“FVLCS”) model utilised to determine the
recoverable amount of the UK and APAC Cyber Security CGU required
management judgement around determining reasonable market multiples
and sustainable earnings assumptions. Given the judgement associated
with determining these assumptions, we considered the recoverability
ofgoodwill in the UK and APAC Cyber Security CGU to be of most
significance in our audit of the financial statements and therefore we
haveincluded this as a key audit matter.
In assessing the appropriateness of management’s impairment
assessment for the UK and APAC Cyber Security CGU, we have
performed the following procedures:
We obtained management’s impairment model and compared the
actual results with previous forecasts to assess the historical accuracy
of management forecasts.
We held discussions and challenged management on the sustainable
earnings, in particular focusing on short-term revenue forecasts,
andagreed these assumptions to audit evidence.
We compared key assumptions around revenue growth rates to
external market research on industry market growth rates to identify
any inconsistencies.
We assessed management’s assumptions for operating margins by
comparing to historical data.
We considered management bias throughout the assumptions used
and considered any contradictory evidence.
We engaged our internal valuations experts to review the FVLCS model
and assess the assumptions for the market multiple by comparing their
assessment against external market data and comparable companies.
We evaluated the competency, independence and objectivity of the
experts engaged by management who supported management in the
determination of the reasonable market multiples.
We assessed the mathematical accuracy of the impairment assessment
and board approved forecasts.
We evaluated the appropriateness of disclosures included in the
financial statements.
As a result of these procedures, we were satisfied the recoverable
amount of the CGU exceeded the carrying amount.
Recoverability of Investments in subsidiary
undertakings(parent)
Refer to note 30 in the Company financial statements. The Company
financial statements have investment in subsidiaries of £293.2 million
(2024: £291.1 million).
The investment is held in NCC Group Holdings Limited which subsequently
holds an investment in other subsidiary undertakings in the group. An
assessment is performed annually to identify whether there are internal or
external factors that indicate the investment in subsidiary undertakings may be
impaired. If indicators of impairment are identified, the Company would proceed
to evaluate the recoverable amount of its investment in subsidiary undertakings.
No indicators of impairment were noted by management from their assessment.
Given the magnitude of this balance, and the management judgement
involved in determining whether any indicators for impairment exist, we have
considered the risk of impairment of these assets as a key audit matter.
In assessing the appropriateness of the investment valuation of NCC
Group Holdings Limited, we performed the following procedures:
We obtained a schedule of investments in subsidiary undertakings
andensured this is reconciled to the financial statements.
We reviewed the assessment of the indicators of impairment and
compared this assessment to external market factors, the results of
thegroup’s annual goodwill impairment review and the ongoing Cyber
and Escode strategic reviews.
We compared the carrying value of the investment to the group’s
market capitalisation at the reporting date.
We reviewed the disclosures included within note 30 of the financial
statements and consider these to be appropriate.
As a result of these procedures, we were satisfied with the conclusion
that no indicators of impairment were identified.
How we tailored the audit scope
We tailored the scope of our audit to ensure that we performed enough
work to be able to give an opinion on the financial statements as a whole,
taking into account the structure of the group and the company, the
accounting processes and controls, and the industry in which they operate.
The group is split into two main reporting segments being Cyber Security
and Escode. These reportable segments are organised into 52
management reporting units in a range of different geographies which
are structured mainly across Europe and North America. Certain
functions relevant for financial reporting are managed by the group’s
head office. The financial statements are a consolidation of the group’s
management reporting units and its centralised consolidation entries.
As the group is headquartered and its principal finance offices are in
Manchester, United Kingdom, the group engagement team is also
based in Manchester. All audit work was completed by the group
engagement team.
The management reporting units vary in size. We identified one reporting
unit (NCC Group Security Services Limited) that required an audit of its
complete financial information due to its size. We also identified a further
seven management reporting units that required specific audit procedures
to be performed over selected financial statement line items which included
Fox-IT Holding B.V, NCC Group Security Services Inc, NCC Group
Corporate Limited, NCC Group plc, NCC Services Limited, NCC Group
(Solutions) Limited, and NCC Group Software Resilience (NA) LLC.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025100

Report on the audit of the
financialstatements continued
Our audit approach continued
How we tailored the audit scope continued
We also performed audit procedures over the consolidation adjustments.
The entities where we conducted audit work accounted for approximately
87% (2024: 91%) of the group’s revenue.
For the remaining 44 management reporting units which were not subject to
further audit procedures, we performed analytical procedures over 10 of
these reporting units to respond to any potential risks of material misstatement
in the group financial statements. The remaining 34 reporting units were
considered to be inconsequential for the group’s financial statements.
Included within above are the management reporting units relating to the
group’s Escode business, which has been reclassified as held for sale and
presented as a discontinued operation. Our audit scope included
performing specific audit procedures relating to the presentation of the
Escode business, including Escode specific consolidation adjustments.
The parent company is comprised of one reporting unit which was subject
to a full scope audit for the purposes of the company financial statements.
The impact of climate risk on our audit
We made enquiries of management to understand the process they have
adopted to assess the extent of the potential impact of climate risk on the
group’s financial statements. The key areas of the financial statements
where management evaluated that climate risk has a potential impact are
set out in note 1 to the financial statements. The directors have reached
the overall conclusion that there has been no material impact on the
financial statements for the current period from the potential impact of
climate change.
We used our knowledge of the group to challenge management’s
assessment. We particularly considered how climate risk would impact
theassumptions made in the forecasts prepared by management used
intheir goodwill impairment analysis, going concern and viability. We also
considered the consistency of the disclosures in relation to climate change
(including the disclosures in the Non-Financial and Sustainability
Information Statement) within the Annual Report with the financial
statements and our knowledge obtained from our audit.
Our procedures did not identify any material impact in the context of our
audit of the financial statements as a whole, or on our key audit matters for
the year ended 30 September 2025.
Materiality
The scope of our audit was influenced by our application of materiality.
Weset certain quantitative thresholds for materiality. These, together with
qualitative considerations, helped us to determine the scope of our audit
and the nature, timing and extent of our audit procedures on the individual
financial statement line items and disclosures and in evaluating the effect of
misstatements, both individually and in aggregate on the financial
statements as a whole.
Based on our professional judgement, we determined materiality for the financial statements as a whole as follows:
Financial statements – group Financial statements – company
Overall materiality £3,000,000 (2024: 3,200,000). £3,200,000 (2024: £3,400,000).
How we determined it 1% of total revenue (including discontinued operations) 1% of total assets
Rationale for
benchmark applied
We considered materiality in a number of different ways and used our professional
judgement having applied ‘rule of thumb’ percentages to a numberof potential
benchmarks. On the basis of this, we concluded that 1%oftotal revenue (including
discontinued operations) is an appropriate levelof materiality considering the
overall scale of the business.
The company does not trade and
therefore total assets is considered to be
the most appropriate benchmark.
For each component in the scope of our group audit, we allocated a
materiality that is less than our overall group materiality. The range of
materiality allocated across components was between £879,000 and
£2,325,000. Certain components were audited to a local statutory audit
materiality that was also less than our overall group materiality.
We use performance materiality to reduce to an appropriately low level the
probability that the aggregate of uncorrected and undetected
misstatements exceeds overall materiality. Specifically, we use performance
materiality in determining the scope of our audit and the nature and extent
of our testing of account balances, classes of transactions and disclosures,
for example in determining sample sizes. Our performance materiality was
75% (2024: 75%) of overall materiality, amounting to £2,250,000 (2024:
2,400,000) for the group financial statements and 2,400,0000 (2024:
2,500,000) for the company financial statements.
In determining the performance materiality, we considered a number of
factors - the history of misstatements, risk assessment and aggregation risk
and the effectiveness of controls - and concluded that an amount in the
middle of our normal range was appropriate.
We agreed with the Audit Committee that we would report to them
misstatements identified during our audit above £150,000 (group audit)
(2024: £160,000) and £160,000 (company audit) (2024: £170,000) as well
as misstatements below those amounts that, in our view, warranted
reporting for qualitative reasons.
Conclusions relating to going concern
Our evaluation of the directors’ assessment of the group’s and the
company’s ability to continue to adopt the going concern basis of
accounting included:
•
We obtained directors’ latest going concern assessment, which included
reasonably possible scenarios for a) the potential sale of the Escode
business is completed within the going concern period; and b) the sale of
the Escode business is not completed within the going concern period.
•
We tested the mathematical integrity of the directors’ going concern
forecast models.
•
We evaluated and assessed the directors’ key assumptions, including
assumptions relating to revenue and operating margins, in the going
concern assessment over the period to the end of December 2026, which
included consideration of the severe but plausible downside scenarios.
•
We evaluated and challenged management on the impact of the potential
sale of the Escode business to the group’s going concern assessment,
which included evaluating the impact of the sale to the group’s net debt
position and committed financing facilities.
•
We evaluated the appropriateness of the severe but plausible downside
scenarios which took into account the principal risks faced by the group,
including the loss of key customers and further reductions in the group’s
Technical Assurance Services (TAS) business.
•
We obtained the terms of the group’s revolving credit facility and the
covenants in place in relation to this facility and determined that the
directors’ forecasts in reasonably possible scenarios identified by
management demonstrated compliance with all covenant conditions for at
least 12 months from the date of the approval of the financial statements.
•
We agreed the opening net debt position within the forecast to bank
statements and revolving credit facility statements.
•
We reviewed the disclosures made in respect of going concern included
in the financial statements.
Financial statements
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 101

Independent auditors’ report continued
to the members of NCC Group plc
Report on the audit of the
financialstatements continued
Conclusions relating to going concern continued
Based on the work we have performed, we have not identified any
material uncertainties relating to events or conditions that, individually or
collectively, may cast significant doubt on the group’s and the company’s
ability to continue as a going concern for a period of at least twelve
months from when the financial statements are authorised for issue.
In auditing the financial statements, we have concluded that the
directors’ use of the going concern basis of accounting in the
preparation of the financial statements is appropriate.
However, because not all future events or conditions can be predicted,
this conclusion is not a guarantee as to the group’s and the company’s
ability to continue as a going concern.
In relation to the directors’ reporting on how they have applied the UK
Corporate Governance Code, we have nothing material to add or draw
attention to in relation to the directors’ statement in the financial
statements about whether the directors considered it appropriate to
adopt the going concern basis of accounting.
Our responsibilities and the responsibilities of the directors with respect
to going concern are described in the relevant sections of this report.
Reporting on other information
The other information comprises all of the information in the Annual Report
other than the financial statements and our auditors’ report thereon. The
directors are responsible for the other information. Our opinion on the
financial statements does not cover the other information and, accordingly,
we do not express an audit opinion or, except to the extent otherwise
explicitly stated in this report, any form of assurance thereon.
In connection with our audit of the financial statements, our responsibility
is to read the other information and, in doing so, consider whether the
other information is materially inconsistent with the financial statements
or our knowledge obtained in the audit, or otherwise appears to be
materially misstated. If we identify an apparent material inconsistency
ormaterial misstatement, we are required to perform procedures to
conclude whether there is a material misstatement of the financial
statements or a material misstatement of the other information. If, based
on the work we have performed, we conclude that there is a material
misstatement of this other information, we are required to report that fact.
We have nothing to report based on these responsibilities.
With respect to the Strategic report and Directors’ report, we also
considered whether the disclosures required by the UK Companies Act
2006 have been included.
Based on our work undertaken in the course of the audit, the
Companies Act 2006 requires us also to report certain opinions and
matters as described below.
Strategic report and Directors’ report
In our opinion, based on the work undertaken in the course of the audit,
the information given in the Strategic report and Directors’ report for the
year ended 30 September 2025 is consistent with the financial statements
and has been prepared in accordance with applicable legal requirements.
In light of the knowledge and understanding of the group and company
and their environment obtained in the course of the audit, we did not
identify any material misstatements in the Strategic report and
Directors’ report.
Annual Report on Remuneration
In our opinion, the part of the Annual Report on Remuneration to be audited
has been properly prepared in accordance with the Companies Act 2006.
Corporate governance statement
The Listing Rules require us to review the directors’ statements in
relation to going concern, longer-term viability and that part of the
corporate governance statement relating to the company’s compliance
with the provisions of the UK Corporate Governance Code specified for
our review. Our additional responsibilities with respect to the corporate
governance statement as other information are described in the
Reporting on other information section of this report.
Based on the work undertaken as part of our audit, we have concluded
that each of the following elements of the corporate governance
statement, included within the Governance section of the Annual
Report is materially consistent with the financial statements and our
knowledge obtained during the audit, and we have nothing material to
add or draw attention to in relation to:
•
The directors’ confirmation that they have carried out a robust
assessment of the emerging and principal risks;
•
The disclosures in the Annual Report that describe those principal
risks, what procedures are in place to identify emerging risks and an
explanation of how these are being managed or mitigated;
•
The directors’ statement in the financial statements about whether
they considered it appropriate to adopt the going concern basis of
accounting in preparing them, and their identification of any material
uncertainties to the group’s and company’s ability to continue to do
so over a period of at least twelve months from the date of approval
of the financial statements;
•
The directors’ explanation as to their assessment of the group’s and
company’s prospects, the period this assessment covers and why
the period is appropriate; and
•
The directors’ statement as to whether they have a reasonable
expectation that the company will be able to continue in operation
and meet its liabilities as they fall due over the period of its
assessment, including any related disclosures drawing attention
toany necessary qualifications or assumptions.
Our review of the directors’ statement regarding the longer-term
viability of the group and company was substantially less in scope than
an audit and only consisted of making inquiries and considering the
directors’ process supporting their statement; checking that the
statement is in alignment with the relevant provisions of the UK
Corporate Governance Code; and considering whether the statement
is consistent with the financial statements and our knowledge and
understanding of the group and company and their environment
obtained in the course of the audit.
In addition, based on the work undertaken as part of our audit, we have
concluded that each of the following elements of the corporate
governance statement is materially consistent with the financial
statements and our knowledge obtained during the audit:
•
The directors’ statement that they consider the Annual Report, taken
as a whole, is fair, balanced and understandable, and provides the
information necessary for the members to assess the group’s and
company’s position, performance, business model and strategy;
•
The section of the Annual Report that describes the review of
effectiveness of risk management and internal control systems; and
•
The section of the Annual Report describing the work of the
AuditCommittee.
We have nothing to report in respect of our responsibility to report
when the directors’ statement relating to the company’s compliance
with the Code does not properly disclose a departure from a relevant
provision of the Code specified under the Listing Rules for review by
theauditors.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025102

Report on the audit of the
financialstatements continued
Responsibilities for the financial statements and the audit
Responsibilities of the directors for the financial statements
As explained more fully in the Directors’ responsibilities statement, the
directors are responsible for the preparation of the financial statements
in accordance with the applicable framework and for being satisfied
that they give a true and fair view. The directors are also responsible for
such internal control as they determine is necessary to enable the
preparation of financial statements that are free from material
misstatement, whether due to fraud or error.
In preparing the financial statements, the directors are responsible for
assessing the group’s and the company’s ability to continue as a going
concern, disclosing, as applicable, matters related to going concern
and using the going concern basis of accounting unless the directors
either intend to liquidate the group or the company or to cease
operations, or have no realistic alternative but to do so.
Auditors’ responsibilities for the audit of the financial statements
Our objectives are to obtain reasonable assurance about whether the
financial statements as a whole are free from material misstatement,
whether due to fraud or error, and to issue an auditors’ report that
includes our opinion. Reasonable assurance is a high level of
assurance, but is not a guarantee that an audit conducted in
accordance with ISAs (UK) will always detect a material misstatement
when it exists. Misstatements can arise from fraud or error and are
considered material if, individually or in the aggregate, they could
reasonably be expected to influence the economic decisions of users
taken on the basis of these financial statements.
Irregularities, including fraud, are instances of non-compliance with laws
and regulations. We design procedures in line with our responsibilities,
outlined above, to detect material misstatements in respect of
irregularities, including fraud. The extent to which our procedures are
capable of detecting irregularities, including fraud, is detailed below.
Based on our understanding of the group and industry, we identified that
the principal risks of non-compliance with laws and regulations related to
employment laws in the countries where the group has more significant
operations and data protection laws and regulations, and we considered
the extent to which non-compliance might have a material effect on the
financial statements. We also considered those laws and regulations
thathave a direct impact on the financial statements such as local and
international tax laws and the Companies Act 2006. We evaluated
management’s incentives and opportunities for fraudulent manipulation
of the financial statements (including the risk of override of controls),
anddetermined that the principal risks were related to posting
inappropriate journal entries to overstate financial performance and
revenue recognition and management bias within accounting estimates.
Audit procedures performed by the engagement team included:
•
discussions with management, the Audit Committee and internal
audit, including consideration of known or suspected instances of
non-compliance with laws and regulations and fraud;
•
reviewing minutes of meetings of those charged with governance;
•
auditing the tax computations to evaluate compliance with tax legislation;
•
identifying and testing journal entries, in particular any journal
entriesposted with unusual account combinations impacting
revenuerecognition;
•
challenging assumptions and judgements made by management in
their critical accounting estimates and presentation of individually
significant items; and
•
reviewing financial statement disclosures and testing to supporting
documentation where appropriate to assess compliance with
applicable laws and regulations.
There are inherent limitations in the audit procedures described above.
We are less likely to become aware of instances of non-compliance
withlaws and regulations that are not closely related to events and
transactions reflected in the financial statements. Also, the risk of not
detecting a material misstatement due to fraud is higher than the risk of
not detecting one resulting from error, as fraud may involve deliberate
concealment by, for example, forgery or intentional misrepresentations,
or through collusion.
Our audit testing might include testing complete populations of certain
transactions and balances, possibly using data auditing techniques.
However, it typically involves selecting a limited number of items for testing,
rather than testing complete populations. We will often seek to target
particular items for testing based on their size or risk characteristics. In
other cases, we will use audit sampling to enable us to draw a conclusion
about the population from which the sample is selected.
A further description of our responsibilities for the audit of the financial
statements is located on the FRC’s website at: www.frc.org.uk/
auditorsresponsibilities. This description forms part of our auditors’ report.
Use of this report
This report, including the opinions, has been prepared for and only for
the company’s members as a body in accordance with Chapter 3 of
Part 16 of the Companies Act 2006 and for no other purpose. We do
not, in giving these opinions, accept or assume responsibility for any
other purpose or to any other person to whom this report is shown or
into whose hands it may come save where expressly agreed by our
prior consent in writing.
Other required reporting
Companies Act 2006 exception reporting
Under the Companies Act 2006 we are required to report to you if, in
our opinion:
•
we have not obtained all the information and explanations we require
for our audit; or
•
adequate accounting records have not been kept by the company, or
returns adequate for our audit have not been received from branches
not visited by us; or
•
certain disclosures of directors’ remuneration specified by law are
not made; or
•
the company financial statements and the part of the Annual Report
on Remuneration to be audited are not in agreement with the
accounting records and returns.
We have no exceptions to report arising from this responsibility.
Appointment
Following the recommendation of the Audit Committee, we were
appointed by the directors on 7 March 2024 to audit the financial
statements for the 16-month period ended 30 September 2024 and
subsequent financial periods. The period of total uninterrupted
engagement is two periods, covering the period ended 30 September
2024 and the year ended 30 September 2025.
Other matter
The company is required by the Financial Conduct Authority Disclosure
Guidance and Transparency Rules to include these financial statements
in an annual financial report prepared under the structured digital format
required by DTR 4.1.15R - 4.1.18R and filed on the National Storage
Mechanism of the Financial Conduct Authority. This auditors’ report
provides no assurance over whether the structured digital format annual
financial report has been prepared in accordance with those requirements.
Hazel Macnamara (Senior Statutory Auditor)
for and on behalf of PricewaterhouseCoopers LLP
Chartered Accountants and Statutory Auditors
Manchester
11 December 2025
Financial statements
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 103

Consolidated income statement
for the year ended 30 September 2025
Continuing operations
Note
Revenue
3
238. 9
3 4 2 .1
Cost of sales
3
(150 .5)
(2 2 4 .1)
Gross profit
3
88.4
11 8 . 0
Individually Significant Items
4
(9. 5)
(41 . 4)
Depreciation and amortisation
5
(14 . 0)
(21.6)
Other administrative expenses
3
(82 . 4)
(11 2 . 4)
Total administrative expenses
(10 5 . 9)
(17 5 . 4)
Profit on disposal of Fox Crypto
4
11 . 4
—
Operating loss
3
(6 .1)
(5 7. 4)
Finance costs
7
(4 . 9)
(8. 2)
Loss before taxation
5
(11 . 0)
(65 .6)
Taxation
8
1. 9
(1. 6)
Loss from continuing operations
(9 .1)
(6 7. 2)
Profit from discontinued operations
16
26.2
3 4 .7
Profit/(loss) for the year/period attributable to owners of the Company
17. 1
(32 . 5)
Loss per ordinary share from continuing operations
10
Basic EPS
(3 . 0p)
(21. 6p)
Diluted EPS
(3. 0p)
(2 1. 6p)
* Comparatives have been restated to present Escode as a discontinued operation. See Note 16 for further details.
Consolidated statement of comprehensive income
for the year ended 30 September 2025
Profit/(loss) for the year/period attributable to the owners of the Company
1 7.1
(3 2. 5)
Reclassification of currency translation reserve on disposal of foreign operations
(7. 9)
—
Foreign exchange translation differences from continuing operations
4.9
(2 . 8)
Exchange differences on translation of discontinued operations (Note 16)
(0 .1)
(10 . 2)
Total other comprehensive loss
(3 .1)
(1 3 . 0)
Total comprehensive income/(loss) for the year/period (net of tax) attributable to the owners of
theCompany
14 . 0
(45.5)
Continuing operations
(12 .1)
(70 .0)
Discontinued operations
2 6 .1
24. 5
14 . 0
(45.5)
* Comparatives have been restated to present Escode as a discontinued operation. See Note 16 for further details.
The accompanying Notes 1 to 32 are an integral part of these Consolidated Financial Statements.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025104

Consolidated balance sheet
at 30 September 2025
Goodwill
11
46.3
15 6 . 5
Intangible assets
11
3.6
89. 2
Property, plant and equipment
12
10 . 5
11 . 6
Right-of-use assets
13
13 . 8
15 .7
Deferred tax asset
15
1. 0
0.6
Total non-current assets
75 . 2
273. 6
Trade and other receivables
14
31. 8
3 2. 2
Contract assets
21
19 . 4
2 0 .1
Current tax receivable
5.5
2.9
Cash and cash equivalents
22
12 . 5
2 9.8
Derivative financial instruments
23
0.9
—
Assets classified as held for sale
16
198 . 0
61. 5
Total current assets
268. 1
14 6 . 5
Total assets
343.3
4 2 0 .1
Trade and other payables
17
4 3 .1
46. 8
Bank overdraft
22
—
13 . 6
Lease liabilities
18
4 .1
5.7
Current tax payable
0.8
1. 6
Derivative financial instruments
23
—
0. 8
Provisions
19
0.3
1. 4
Contract liabilities – deferred revenue
20
2 5.7
5 0 .7
Liabilities directly associated with assets classified as held for sale
16
39.8
5 .7
Total current liabilities
11 3 . 8
12 6 . 3
Borrowings
22
3.3
6 1. 5
Lease liabilities
18
15 . 4
21. 9
Deferred tax liabilities
15
0.2
0.5
Provisions
19
1. 9
1. 9
Contract liabilities – deferred revenue
20
2.2
2. 8
Total non-current liabilities
23 .0
8 8.6
Total liabilities
13 6 . 8
214 . 9
Net assets
206.5
205.2
Share capital
25
3 .1
3 .1
Share premium
25
2 24 .7
2 24 .4
Merger reserve
25
42 .3
42. 3
Currency translation reserve
25
21. 4
24. 5
Retained earnings
25
(85.0)
(8 9 .1)
Total equity
206.5
205.2
The accompanying Notes 1 to 32 are an integral part of these consolidated Financial Statements.
These Financial Statements were approved and authorised for issue by the Board of Directors on 11 December 2025. They were signed on its
behalf by:
Mike Maddison Guy Ellis
Chief Executive Officer Chief Financial Officer
11 December 2025 11 December 2025
Financial statements
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 105

Consolidated cash flow statement
for the year ended 30 September 2025
Loss for the year/period of continuing operations
(9 .1)
(6 7. 2)
Profit for the year/period from discontinued operations
1
16
26. 2
3 4 .7
Profit/(loss) for year/period including discontinued operations
17. 1
(32 . 5)
Depreciation of property, plant and equipment
12
4.3
5.4
Depreciation of right-of-use assets
13
5.5
8 .1
Amortisation of customer contracts and relationships
11
8 .1
12 . 5
Amortisation of software and development costs
11
2 .1
3.3
Impairment of goodwill
11
—
3 1. 9
Impairment of non-current assets included in ISIs
4
0.3
3.9
Disposals of non-current assets included in administrative costs
12
1. 2
—
Impairment reversal of non-current assets included in administrative costs
5
—
0.9
Impairment reversal of non-current assets included in ISIs
4
(0 . 2)
(0 .8)
Share-based payments
24
2 .1
2.3
Lease financing costs
18
1 .1
1. 7
Other financing costs
7
3.8
6.6
Foreign exchange loss
5
2.7
1. 9
Gain on disposal of derecognised lease liabilities
5
(1 . 9)
—
Profit on disposal of right-of-use-assets
5
—
(0 .1)
Profit on disposal of businesses
31
(11 . 3)
(1 . 6)
Profit on disposal of investment
30
—
(0 .1)
Loss on disposal of fixed assets
—
0 .1
Loss on disposal of intangible assets
11
0.3
—
Income tax expense
8
3.5
5.0
Cash inflow for the year/period before changes in working capital
3 8 .7
4 8.5
(Increase)/decrease in trade and other receivables
(5 . 4)
1. 3
Decrease/(increase) in contract assets
0. 4
(5. 9)
Decrease in inventories
—
0.2
Increase/(decrease) in trade and other payables
10. 3
(11 . 9)
(Decrease)/increase in contract liabilities
(1 .1)
5.5
(Decrease)/increase in provisions
(3.0)
0 .7
Cash generated from operating activities before interest and taxation
39.9
3 8.4
Interest element of lease payments
18
(1 .1)
(1.7)
Other interest paid
(3 . 3)
(6. 0)
Taxation paid
(2 . 0)
(4 . 3)
Net cash generated from operating activities
33.5
26.4
Acquisition of trade and assets as part of business combinations
—
(1. 0)
Purchase of property, plant and equipment
12
(4 .7)
(6 . 2)
Software, development and customer contract expenditure
(0 . 4)
(2 .6)
Sale proceeds of business disposals (net of cash disposed of)
4, 30, 31
6 1. 4
12. 4
Net cash generated from investing activities
56.3
2.6
Proceeds from the issue of ordinary share capital
25
0. 3
0.3
Acquisition of treasury shares
(5 .8)
(5. 8)
Principal element of lease payments
18
(6 .8)
(1 0 . 2)
Drawdown of borrowings (net of deferred issue costs)
2 1 .1
5 7. 8
Issue costs related to borrowings
(0 .3)
—
Repayment of borrowings
(8 0. 3)
(75 . 0)
Equity dividends paid
9
(19 . 0)
(14 . 5)
Net cash used in financing activities
(9 0. 8)
(4 7. 4)
Net decrease in cash and cash equivalents (inc. bank overdraft)
(1. 0)
(1 8 . 4)
Cash and cash equivalents (inc. bank overdraft) at beginning of year/period
16 . 2
32. 3
Effect of foreign currency exchange rate changes
1. 2
2.3
Cash and cash equivalents
2
(inc. bank overdraft) at end of year/period
16, 22
16 . 4
16 . 2
1 See Note 16 for the operation, financing and investing cash flows of discontinued operations.
2 Inclusive of £3.9m of cash and cash equivalents classified as asset held for sale – see Note 16.
The accompanying Notes 1 to 32 are an integral part of these consolidated Financial Statements.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025106

Consolidated statement of changes in equity
for the year ended 30 September 2025
Balance at 1 June 2023
3. 1
224. 1
42.3
37 .5
(28.8)
278 . 2
Loss for the period
—
—
—
—
(3 2. 5)
(3 2. 5)
Foreign currency translation differences
—
—
—
(13 . 0)
—
(13 . 0)
Total comprehensive loss for the period
—
—
—
(13 . 0)
(32. 5)
(4 5.5)
Dividends to equity shareholders
9
—
—
—
—
(24 . 3)
(24 .3)
Share-based payments
24
—
—
—
—
2. 3
2.3
Acquisition of treasury shares
—
—
—
—
(5 . 8)
(5 . 8)
Shares issued
25
—
0.3
—
—
—
0. 3
Total contributions by and distributions to owners
—
0.3
—
—
(2 7. 8)
(2 7. 5)
Balance at 30 September 2024
3 .1
2 24 .4
42. 3
24. 5
(8 9 .1)
205. 2
Profit for the year
—
—
—
—
1 7.1
1 7.1
Reclassification of currency translation reserve on
disposal of foreign operations
31
—
—
—
(7. 9)
—
(7. 9)
Foreign currency translation differences
—
—
—
4.8
—
4.8
Total comprehensive (loss)/income for the year
—
—
—
(3 .1)
1 7.1
14 . 0
Dividends to equity shareholders
9
—
—
—
—
(9. 2)
(9. 2)
Share-based payments
24
—
—
—
—
2 .1
2 .1
Current and deferred tax on share-based payments
—
—
—
—
(0 .1)
(0 .1)
Acquisition of treasury shares
—
—
—
—
(5. 8)
(5 . 8)
Shares issued
25
—
0.3
—
—
—
0.3
Total contributions by and distributions to owners
—
0.3
—
—
(13 . 0)
(12 . 7)
Balance at 30 September 2025
3 .1
2 2 4 .7
42 .3
21. 4
(85.0)
206 .5
The accompanying Notes 1 to 32 are an integral part of these consolidated Financial Statements.
Financial statements
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 107

Company balance sheet
at 30 September 2025
Company no: 04627044
Note
30 September
2025
£m
30 September
2024
£m
Non-current assets
Investments in subsidiary undertakings 30 293.2 291.1
Trade and other receivables 14 34.2 43.1
Total non-current assets 327.4 334.2
Current assets
Cash and cash equivalents 22 — 9.8
Total current assets — 9.8
Total assets 327.4 344.0
Current liabilities
Trade and other payables 17 — 9.9
Total current liabilities — 9.9
Total liabilities — 9.9
Net assets 327.4 33 4.1
Equity
Share capital 25 3.1 3.1
Share premium 25 224.7 224.4
Merger reserve 25 42.3 42.3
Retained earnings 25 57.3 64.3
Total equity 327.4 33 4.1
During the year ended 30 September 2025, the Parent Company reported a profit of £0. 1m (2024: £38.7m).
The accompanying Notes 1 to 32 are an integral part of these Financial Statements.
These Financial Statements were approved and authorised for issue by the Board of Directors on 11 December 2025. They were signed on its
behalf by:
Mike Maddison Guy Ellis
Chief Executive Officer Chief Financial Officer
11 December 2025 11 December 2025
NCC Group plc — Annual report and accounts for the year ended 30 September 2025108

Company statement of changes in equity
for the year ended 30 September 2025
Note
Share
capital
£m
Share
premium
£m
Merger
reserve
£m
Retained
earnings
£m
Total
£m
Balance at 1 June 2023 3.1 224.1 42.3 47.6 317.1
Profit for the period — — — 38.7 38.7
Total comprehensive income for the period — — — 38.7 38.7
Transactions with owners recorded directly in equity
Dividends to equity shareholders 9 — — — (24.3) (24.3)
Increase in subsidiary investment for share-based charges — — — 2.3 2.3
Shares issued 25 — 0.3 — — 0.3
Total contributions by and distributions to owners — 0.3 — (22.0) (21.7)
Balance at 30 September 2024 3 .1 224.4 42.3 64.3 33 4.1
Profit for the year — — — 0.1 0.1
Total comprehensive income for the year — — — 0.1 0.1
Transactions with owners recorded directly in equity
Dividends to equity shareholders 9 — — — (9.2) (9.2)
Increase in subsidiary investment for share-based charges — — — 2.1 2.1
Shares issued 25 — 0.3 — — 0.3
Total contributions by and distributions to owners — 0.3 — (7.1) (6.8)
Balance at 30 September 2025 3.1 224.7 42.3 57.3 327.4
The accompanying Notes 1 to 32 are an integral part of these Financial Statements.
Financial statements
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 109

Notes to the Financial Statements
for the year ended 30 September 2025
1 Material accounting policies
Basis of preparation
NCC Group plc (the “Company”) is a public company incorporated in the UK, with its registered office at XYZ Building, 2 Hardman Boulevard,
Spinningfields, Manchester M3 3AQ. The Group Financial Statements consolidate those of the Company and its subsidiaries (together referred to
as the “Group”). NCC Group plc is a listed public company, limited by shares, and the Company registration number is 04627044. The principal
activity of the Group is the provision of independent advice and services to customers through the supply of Cyber Security and Escode services.
The Parent Company Financial Statements present information about the Company as a separate entity and not about the Group. These Financial
Statements have been approved for issue by the Board of Directors on 11 December 2025.
The Group Financial Statements have been prepared and approved by the Directors in accordance with UK-adopted International Accounting
Standards (UK-adopted IFRS) and with the requirements of the Companies Act 2006 as applicable to companies reporting under those standards.
The Parent Company Financial Statements have been prepared in accordance with FRS 101 ‘Reduced Disclosure Framework’ (FRS 101), under the
historical cost convention, and in accordance with the Companies Act 2006 and other applicable law. The Company transitioned from UK-adopted
International Financial Reporting Standards to FRS 101 in the prior period. The impact of this transition on the net assets of the Parent Company
was £nil, as disclosed in the prior period Financial Statements.
As permitted by FRS 101, the Parent Company has taken advantage of the disclosure exemptions available under that standard in relation to
standards not yet effective and presentation of a cash flow statement. The accounting policies adopted for the Parent Company are otherwise
consistent with those used for the Group as set out within this note. The Company has also taken advantage of the following disclosure exemptions
under FRS 101:
•
The requirements of paragraphs 91–99 of IFRS 13 ‘Fair Value Measurement’
•
The requirements of IFRS 7 ‘Financial Instruments: Disclosure’
•
The requirements of 45(b) and 46–52 of IFRS 2 ‘Share-based Payment’
•
The requirements in IAS 24 ‘Related Party Disclosures’ to disclose related party transactions entered into between two or more members of a
group, provided that any subsidiary which is a party to the transaction is wholly owned by such a member
On publishing the Parent Company Financial Statements here together with the Group Financial Statements, the Company is also taking advantage
of the exemption in section 408 of the Companies Act 2006 not to present its individual Income Statement and related notes that form a part of
these approved Financial Statements.
The accounting policies set out below have, unless otherwise stated, been applied consistently to all periods presented in these Financial
Statements.
Climate change
The Directors have reviewed the potential impact of climate change and the Task Force on Climate-related Financial Disclosures (TCFD) on the
consolidated Financial Statements. During the year, the Group has reviewed its materiality assessment to identify which environmental, social and
governance issues are most material and significant to the NCC Group business and stakeholders to aid our commitment to achieving net zero by
2050. Our overall exposure to physical and transitional climate change is considered low in the short to medium term due to the nature of the business
and cyber assurance industry. The Group continues to evolve its sustainability agenda with further details on its short, medium, medium to long and
long-term goals contained within the Non-Financial and Sustainability Information Statement on page 18 of the Annual Report.
The Directors have considered climate change in the following areas of the consolidated Financial Statements (including critical accounting
judgements and key sources of estimation uncertainty), noting no material financial impact in each area:
•
Going concern assessment
•
Property, plant and equipment – economic life and residual values
•
Impairment of assets (including right-of-use assets) – the impact of environmental change on growth rates and projected cash flows
•
Provisions – recognition of new liabilities or contingent liabilities arising from climate change and the Group physical and transition risks of:
•
Greenhouse gas emissions – increased costs associated with more taxes and levies
•
Move to net zero – increased costs required to lower emissions
•
Margin risk – impact on delivery day rates and associated erosion of profit margin due to increased costs
•
Reputational risk – failure to comply with regulations resulting in negative impact on the Group
•
Supply chain – increased supply costs and delayed deliveries impacting customer contracts/provision of services
•
Extreme weather or rising sea levels – reduction in revenue and increased costs
•
Fair value measurement – climate change variables being incorporated into market participant valuations
•
Financial instruments – expected credit losses and risk of default on Group borrowings (RCF and term loan)
New and amended accounting standards that have been issued and are effective from 1 January 2025
At the date of authorisation of these Financial Statements, the following new accounting pronouncements have been issued and are effective from
1 January 2025:
•
Amendments to IAS 21 ‘The Effects of Changes in Foreign Exchange Rates’, issued in August 2023 and effective from 1 January 2025
These IFRSs are not expected to have a material impact on the Group’s consolidated or the Company’s financial position or performance.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025110

1 Material accounting policies continued
Other new accounting pronouncements
In addition to the above, the following new accounting pronouncements have also been issued which are not yet effective, but the Group is not
expecting them to have a significant impact on the Group’s consolidated Financial Statements:
•
IFRS 19 ‘Subsidiaries without Public Accountability: Disclosures’, issued in May 2024 and effective from 1 January 2027
•
Amendments to IFRS 9 ‘Financial Instruments’ and IFRS 7 ‘Financial Instruments: Disclosures’, issued in May 2024 and effective from 1 January 2026
•
Annual improvements to the following IFRS Accounting Standards – amendments to: IFRS 1 ‘First-time Adoption of International Financial Reporting
Standards’, IFRS 10 ‘Consolidated Financial Statements’ and IAS 7 ‘Statement of Cash Flows’, issued in July 2024 and effective from 1 January 2026
In addition to the above new standards, the Group also continues to evaluate the potential impact from IFRS 18 ‘Presentation and Disclosure in
Financial Statements’, issued in April 2024 and effective from 1 January 2027.
Basis of measurement
The consolidated Financial Statements have been prepared on the historical cost basis except for the revaluation of certain financial instruments.
Functional and presentation currency
The Group and Company Financial Statements are presented in millions of Pounds Sterling (£m) because that is the currency of the principal
economic environment in which the Group operates.
Items included in the Financial Statements of each of the Group’s entities are measured using the currency of the primary economic environment
in which the entity operates (the “functional currency”).
Going concern
At the time of approving the Financial Statements, the Board of Directors is required to formally assess that the business has adequate resources
to continue in operational existence and as such can continue to adopt the “going concern” basis of accounting.
To support this assessment, the Board is required to consider the Group’s current financial position, its strategy, the market outlook, and its principal
risks. The Group’s business activities, together with the factors likely to affect its future development, performance and position, are set out in the
Business Review and Financial Review. The Group’s financial position, cash and borrowing facilities are also described within these sections.
The Financial Statements have been prepared on a going concern basis which the Directors consider to be appropriate for the following reasons.
The Directors have prepared cash flow and covenant compliance forecasts for 12 months from the date of approval of the Financial Statements
which indicate that, taking account of severe but plausible downsides on the operations of the Group and its financial resources, the Group will have
sufficient funds to meet its liabilities as they fall due for that period.
The going concern period is required to cover a period of at least 12 months from the date of approval of the Financial Statements and the Directors
still consider this 12 month period to be an appropriate assessment period due to the Group’s financial position and trading performance and that
its current borrowing facilities do not expire until April 2029 (following the Group successfully refinancing in April 2025 – see below and Note 22).
The Directors have considered whether there are any significant events beyond the 12 month period which would suggest this period should be
longer but have not identified any such conditions or events.
In April 2025, the Group refinanced its borrowing arrangements by entering into a new four year £120m multi-currency revolving credit facility
(RCF), with an uncommitted £50m accordion option. This new unsecured facility replaces the previous £162.5m RCF (which was in existence as at
30 September 2024), which was due to expire in December 2026 and included an uncommitted accordion option of up to £75m. The uncommitted
accordion option has not been included in the Group’s going concern assessment as it remains subject to lender approval and is therefore not
guaranteed at the date of approval of these Financial Statements.
As of 30 September 2025, net cash (excluding lease liabilities) was £13.1m, comprising cash and cash equivalents of £16.4 m, a bank overdraft of £nil, and
a drawn revolving credit facility of £5.2m (excluding £1.9 m of unamortised borrowing fees). The Group also had £114.8 m of undrawn committed facilities,
excluding an uncommitted accordion facility of £50.0 m. The Group’s day-to-day working capital requirements are met through existing cash resources,
the revolving credit facility and receipts from its continuing business activities. The Group is required to comply with financial covenants for leverage (net
debt to Adjusted EBITDA)
1
and interest cover (Adjusted EBITDA
1
to interest charge) that are tested bi-annually on 31 March and 30 September each year.
As of 30 September 2025, leverage amounted to 0.0x and net interest cover amounted to 8.1x compared to a maximum of 3.0x and a minimum
of 3.5x respectively. The terms and ratios are specifically defined in the Group’s banking documents (in line with normal commercial practice) and
are materially similar to amounts noted in these Financial Statements with the exceptions being net debt which excludes IFRS 16 lease liabilities
and Adjusted EBITDA
1
. The Group was in compliance with the terms of all its facilities during the year, including the financial covenants on
30 September 2025, and, based on forecasts, expects to remain in compliance over the going concern period. In addition, the Group has not
sought or is not planning to seek any waivers to its financial covenants noted above.
Management has performed base case modelling derived from the FY26 Board-approved budget and forecasts beyond this budgeted period, reflecting
scenarios both with and without the potential disposal of its Escode business (incorporating any associated impact on the Group’s banking facilities and
expected net cash position). In addition, management has prepared forecasts reflecting severe but plausible downside scenarios, considering the
principal risks faced by the Group, such as the loss of key customers and further reductions in the Group’s Technical Assurance Services (‘TAS’) Cyber
business. These forecasts, including all scenarios modelled, have been reviewed by the Directors, support their expectation that the Group will
operate within its available committed banking facilities and meet its liabilities as they fall due throughout the assessment period. The assumptions
underpinning these forecasts (and severe yet plausible downside scenarios) are set out in more detail in the Viability Statement on pages 38 and 39.
Having reviewed the current trading performance, forecasts, debt servicing requirements, total facilities and risks, the Directors are confident that
the Group will have sufficient funds to meet its liabilities as they fall due for a period of at least 12 months from the date of approval of Financial
Statements. This period is referred to as the going concern period. Accordingly, the Directors continue to adopt the going concern basis of
accounting in preparing the Group’s Financial Statements for the year ended 30 September 2025.
Additionally, the Group remains in the early stages of reviewing a number of strategic options for its Cyber business, however no decision has been
made on which option will be pursued as of 11 December 2025. Accordingly, no material uncertainties have been identified that would cast
significant doubt on the Group’s ability to continue as a going concern in relation to this ongoing process.
Financial statements
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 111

1 Material accounting policies continued
Going concern continued
From a Company perspective, the Company places reliance on other Group trading entities for financial support. The Company controls these
Group entities and therefore has the ability to direct the financial activities of the Group. Having reviewed the current trading performance,
forecasts, debt servicing requirements, total facilities and risks, the Directors are confident that the Company and the Group will have sufficient
funds to continue to meet their liabilities as they fall due for a period of at least 12 months from the date of approval of these consolidated Financial
Statements, which is determined as the going concern period. Accordingly, the Directors continue to adopt the going concern basis of accounting
in preparing the Group’s Financial Statements for the year ended 30 September 2025.
There are no post-Balance Sheet events which the Directors believe will negatively impact the going concern assessment.
1 Revenue at constant currency, Adjusted EBITDA and net debt excluding lease liabilities are Alternative Performance Measures (APMs) and not IFRS measures. See Appendix 1 for an
explanation of APMs and adjusting items, including a reconciliation to statutory information.
Business combinations
Business combinations are accounted for by applying the acquisition method at the acquisition date, which is the date on which control is
transferred to the Group. The Group controls an entity when the Group is exposed to, or has rights to, variable returns from its involvement with the
entity and has the ability to affect those returns through its power over the entity.
Acquisitions and disposals
The Group measures goodwill at the acquisition date as:
•
The fair value of the consideration transferred
•
The recognised amount of any non-controlling interests in the acquiree
•
If the business combination is achieved in stages, the fair value of the existing equity interest in the acquiree
•
The fair value of the identifiable assets acquired and liabilities assumed
When the excess is negative, a bargain purchase gain is recognised immediately in profit or loss. The consideration transferred does not include
amounts related to the settlement of pre-existing relationships. Such amounts are generally recognised in the Income Statement.
Costs related to the acquisition, other than those associated with the issue of debt or equity securities, are expensed as incurred.
Any deferred or contingent consideration payable is recognised at fair value at the acquisition date. If the contingent consideration is classified as
equity, it is not remeasured, and settlement is accounted for within equity. Otherwise, subsequent changes to the fair value of contingent
consideration are recognised in the Income Statement. On a transaction-by-transaction basis, the Group elects to measure non-controlling interests
either at their fair value or at their proportionate interest in the recognised amount of the identifiable net assets of the acquiree at the acquisition date.
The results of subsidiaries acquired or disposed of during the period are included in the Consolidated Income Statement from the effective date of
acquisition or up to the effective date of disposal, as applicable. Comparatives are only restated if a disposed business meets the definition of a
discontinued operation under IFRS 5 ‘Non-current Assets Held for Sale and Discontinued Operations’. This restatement occurs only when the
disposal represents a separate major line of business or geographical area, or is part of a single co-ordinated plan to dispose of such a line or area.
Subsidiaries
Subsidiaries are entities controlled by the Group. The Financial Statements of subsidiaries are included in the consolidated Financial Statements
from the date that control commences until the date that control ceases. Control is achieved where the Company has the power to govern the
financial and operating policies of an investee entity so as to obtain benefits from its activities. Intercompany transactions and balances between
subsidiaries are eliminated on consolidation.
Intangible assets and goodwill
Goodwill represents the amounts arising from the acquisition of subsidiaries, as well as from the acquisition of trade and assets. In respect of
business acquisitions that have occurred since 1 June 2004, goodwill represents the difference between the cost of the acquisition and the fair
value of the net identifiable assets acquired including identifiable intangible assets. Identifiable intangibles are those which can be sold separately,
or which arise from legal rights regardless of whether those rights are separable.
Goodwill is stated at cost less any accumulated impairment losses. Goodwill is allocated to cash generating units (CGUs) and is not amortised but
is tested annually for impairment. In respect of equity accounted investees, the carrying amount of goodwill is included in the carrying amount of the
investment in the investee.
Research and development
Expenditure on research activities is recognised in the Income Statement as an expense as incurred. Expenditure on development activities is
capitalised as “development costs” if the product or process is technically and commercially feasible, if the Group has the technical ability and
sufficient resources to complete development, if future economic benefits are probable and if the Group can measure reliably the expenditure
attributable to the intangible asset during its development. Development activities involve a plan or design for the production of new or substantially
improved products or processes.
Subsequent expenditure is capitalised only when it increases the future economic benefits embodied in the specific asset to which it relates. All
other expenditure, including expenditure on internally generated goodwill, is recognised in the Income Statement as an expense as incurred.
Software costs
The Group capitalises software costs in accordance with the criteria of IAS 38. Software costs comprise third party costs and internal colleague
time costs for internal system developments. Capitalised amounts are initially measured at cost and amortised on a straight-line basis over the
period for which the developed system is expected to be in use as a business platform. Software costs incurred as part of a service agreement are
only capitalised when it can be evidenced that the Group has control over the resources defined in the arrangement.
The expenditure capitalised includes the cost of materials, direct labour, overhead costs that are directly attributable to preparing the asset for its
intended use and capitalised borrowing costs. Other development expenditure is recognised in the Consolidated Income Statement as an expense
as incurred. Software costs are stated at cost less accumulated amortisation and less accumulated impairment losses.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025112
Notes to the Financial Statements continued
for the year ended 30 September 2025

1 Material accounting policies continued
Software costs continued
When the Group incurs customisation and configuration costs, as part of a service agreement for Software-as-a-Service (SaaS), Infrastructure-as-
a-Service (IaaS) or Platform-as-a-Service (PaaS), judgement is applied in assessing whether the Group has control over the resources defined in
the arrangement. These costs are treated in accordance with the March 2019 IFRIC update with regard to the Customer’s Right to Receive Access
to the Supplier’s Software Hosted on the Cloud (IAS 38 ‘Intangible Assets’) and the IFRIC interpretation ratified by the Interpretations Committee in
April 2021 with regard to Configuration or Customisation Costs in a Cloud Computing Arrangement, as follows:
•
In specific circumstances, development costs incurred may give rise to an identifiable asset, for example where code/intellectual property hosted on
third party cloud infrastructure is controlled by the Group and the cost of moving the asset to another provider or bringing on-premise is not prohibitive.
•
Amounts paid to the cloud vendor or third party for configuration and customisation that are not distinct from access to the cloud software are
expensed over the contract term.
•
In all other instances, configuration and customisation costs will be expensed as the customisation and configuration services are received, for
example a cloud provider’s monthly subscription.
Intangible assets
Expenditure on internally generated goodwill is recognised in the Income Statement as an expense as incurred. Intangible assets that are acquired
by the Group are stated at cost less accumulated amortisation and less accumulated impairment losses.
Amortisation
Amortisation is charged to the Income Statement on a straight-line basis over the estimated useful economic lives of intangible assets unless such
lives are indefinite. Intangible assets with an indefinite useful life and goodwill are systematically tested for impairment at each Balance Sheet date.
Intangible assets are amortised from the date they are available for use. The estimated useful lives are as follows:
Acquired customer contracts and relationships – between three and twenty years
Software – between three and five years
Capitalised development costs – between three and five years
Impairment of non-financial assets
The carrying amounts of the Group’s non-financial assets, other than deferred tax assets, are reviewed at each reporting date to determine whether
there is any indication of impairment. If any such indication exists, then the asset’s recoverable amount is estimated. For goodwill, and intangible
assets that have indefinite useful lives or that are not yet available for use, the recoverable amount is estimated each year at the same time. The
Group performed its annual impairment review at 30 September 2025.
The recoverable amount of an asset or cash generating unit is the greater of its value in use (VIU) and its fair value less costs to sell (FVLCTS).
FVLCTS has been used for all CGUs for the year ended 30 September 2025 and the comparative period for the period ended 30 September 2024.
The FVLCTS valuation of each standalone CGU has been calculated by determining sustainable earnings, which are based on the Adjusted
EBITDA
1
, and applying a reasonable market multiple on the calculated sustainable earnings.
For the purpose of impairment testing, assets that cannot be tested individually are grouped together into the smallest group of assets that generates
cash inflows from continuing use that are largely independent of the cash inflows of other assets or groups of assets (the “cash generating unit”). The
goodwill acquired in a business combination, for the purpose of impairment testing, is allocated to cash generating units (CGUs). Subject to an
operating segment ceiling test, for the purposes of goodwill impairment testing, CGUs to which goodwill has been allocated are aggregated so that
the level at which impairment is tested reflects the lowest level at which goodwill is monitored for internal reporting purposes. Goodwill acquired in a
business combination is allocated to groups of CGUs that are expected to benefit from the synergies of the combination.
An impairment loss is recognised if the carrying amount of an asset or its CGU exceeds its estimated recoverable amount. Impairment losses are
recognised in the Income Statement. Impairment losses recognised in respect of CGUs are allocated first to reduce the carrying amount of any
goodwill allocated to the units, and then to reduce the carrying amounts of the other assets in the unit (group of units) on a pro rata basis. An
impairment loss in respect of goodwill is not reversed. In respect of other assets, impairment losses recognised in prior periods are assessed at
each reporting date for any indications that the loss has decreased or no longer exists. An impairment loss is reversed if there has been a change in
the estimates used to determine the recoverable amount. An impairment loss is reversed only to the extent that the asset’s carrying amount does
not exceed the carrying amount that would have been determined, net of depreciation or amortisation, if no impairment loss had been recognised.
1 Revenue at constant currency, Adjusted EBITDA and net debt excluding lease liabilities are Alternative Performance Measures (APMs) and not IFRS measures. See Appendix 1 for an
explanation of APMs and adjusting items, including a reconciliation to statutory information.
Related party transactions
A related party is a person or entity that is related to the Group or Company. Related party transactions are the transfer of resources, services or
obligations between parties regardless of whether a price is charged. In these circumstances, the Group or Company will disclose the nature of the
related party relationship as well as information about the transactions and outstanding balances necessary for an understanding of the potential
effect of the relationship on the Financial Statements in accordance with IAS 24 ‘Related Party Transactions’.
Property, plant and equipment
Property, plant and equipment assets are carried at cost less accumulated depreciation and any recognised impairment in value. To the extent that
borrowing costs relate to the acquisition, construction or production of a qualifying asset, borrowing costs are capitalised as part of the cost of that
asset. Depreciation is charged to the Income Statement on a straight-line basis over the estimated useful economic lives of each part of an item of
plant and equipment as follows:
Computer equipment – between three and five years
Fixtures, fittings and equipment – between three and five years
Motor vehicles – four years
Property, plant and equipment is also tested for impairment whenever there is an indication of potential impairment.
Financial statements
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 113

1 Material accounting policies continued
Leases
At inception of a contract, the Group assesses whether a contract is, or contains, a lease. A contract is, or contains, a lease if the contract conveys
the right to control the use of an identified asset for a period of time in exchange for consideration. To assess whether a contract conveys the right
to control the use of an identified asset, the Group assesses whether:
•
The contract involves use of the identified asset. This may be specified explicitly or implicitly and should be physically distinct or represent
substantially all of the capacity or a physically distinct asset. If the supplier has a substantive substitution right, then the asset is not identified.
•
The Group has the right to obtain substantially all of the economic benefits from use of the asset and throughout the period of use the Group has
the right to direct the use of the asset. The Group has this right when it has the decision-making rights that are most relevant to changing how
and for what purpose the asset is used. In rare cases where all the decisions about how and for what purpose the asset is used are
predetermined, the Group has the right to direct the use of the asset if either:
•
The Group has the right to operate the asset.
•
The Group designed the asset in a way that predetermines how and for what purpose it will be used.
The Group recognises a right-of-use asset and a lease liability at the lease commencement date. The right-of-use asset is initially measured at cost,
which comprises the initial amount of the lease liability adjusted for any lease payments made at or before the commencement date, and an
estimate of costs to dismantle and remove the underlying asset or to restore the underlying asset or the site on which it is located, less any lease
incentives received.
The right-of-use asset is subsequently depreciated using the straight-line method from the commencement date to the earlier of the end of the
useful life of the right-of-use asset or the end of the lease term. The estimated useful lives of right-of-use assets are determined on the same basis
as those of property, plant and equipment. In addition, the right-of-use asset is periodically reduced by impairment losses, if any, and adjusted for
certain remeasurements of the lease liability.
The lease liability is initially measured at the present value of the lease payments that are not paid at the commencement date, discounted using the
interest rate implicit in the lease or, if that rate cannot be readily determined, the Group’s incremental borrowing rate.
The lease liability is measured at amortised cost using the effective interest method. It is remeasured when there is a change in future lease
payments arising from a change in an index or rate, if there is a change in the Group’s estimate of the amount expected to be payable, or if the
Group changes its assessment of whether it will exercise a purchase, extension or termination option.
When the lease liability is remeasured in this way, a corresponding adjustment is made to the carrying amount of the right-of-use asset or is recorded in
the Income Statement if the carrying amount of the right-of-use asset has been reduced to zero. The Group has elected not to recognise right-of-use
assets and lease liabilities for short-term leases that have a lease term of 12 months or less and leases of low value assets, including certain IT
equipment. The Group recognises the lease payments associated with these leases as an expense on a straight-line basis over the lease term.
Lease rental costs in respect of short-term leases (less than one year) and low value assets which are exempt from being accounted for under
IFRS 16 are charged to the Income Statement on a straight-line basis over the period of the lease.
Investments
Investments in subsidiaries are carried at cost less impairment. Investments in property and unlisted shares are carried at cost less impairment,
which is based on the fair value at acquisition.
Financial instruments
Financial assets and financial liabilities, in respect of financial instruments, are recognised in the Group and Parent Company Balance Sheet when
the Group or Company becomes a party to the contractual provisions of the instrument.
Classification and measurement of financial assets and liabilities
Classification of financial assets is generally based on the business model in which the financial asset is managed and its contractual cash flow
characteristics. A financial asset is measured at amortised cost if it is held with the objective of collecting the contractual cash flows and its
contractual terms give rise on specified dates to cash flows that are solely payments of principal and interest on the principal amount outstanding.
All other financial assets are measured at fair value through other comprehensive income or the Income Statement.
Financial assets at amortised cost
Trade and other receivables
Trade and other receivables are classified as financial assets at amortised cost in accordance with IFRS 9 ‘Financial Instruments’. This classification
is applied to receivables such that the asset is to collect contractual cash flows.
Trade and other receivables are initially recognised at their fair value, which is typically the transaction price. Subsequently, these assets are
measured at amortised cost, less any provision for expected credit losses (ECLs).
Under the IFRS 9 “expected credit loss” model, a credit event (or impairment “trigger”) no longer needs to occur before credit losses are recognised.
The Group analyses the risk profile of trade receivables based on past experience and an analysis of the receivables’ current financial position,
potential for a default event to occur, adjusted for specific factors, forward-looking general economic conditions of the industry in which the
receivables operate, and assessment of both the current and the forecast direction of conditions at the reporting date. A default event is considered
to occur when information is obtained that indicates that a receivable is unlikely to be paid to the Group.
Credit risk is regularly reviewed by management to ensure the expected credit loss (ECL) model is being appropriately applied. The Group has
performed the calculation of ECL separately for each business unit.
Financial liabilities at amortised cost
Trade payables
Trade payables are other financial liabilities initially measured at fair value and subsequently measured at amortised cost.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025114
Notes to the Financial Statements continued
for the year ended 30 September 2025

1 Material accounting policies continued
Financial liabilities at amortised cost continued
Borrowings
Interest-bearing bank loans are initially recorded at their fair value and subsequently held at amortised cost. Transaction costs incurred are
amortised over the term of the loan.
Assets held for sale
Assets are classified as held for sale if their carrying amount is to be recovered principally through a sale transaction rather than through continuing
use. This condition is regarded as met only when the sale is highly probable within one year from the date of classification and the assets are
available for sale in their present condition. Assets held for sale are stated at the lower of the carrying amount and fair value less costs to dispose.
Discontinued operations
A discontinued operation is a component of the Group that has been disposed of or is classified as held for sale and represents a separate major
line of business or geographical area of operation.
In accordance with IFRS 5, the post-tax results of discontinued operations and any post-tax gain or loss on disposal or remeasurement to fair value
less costs to sell are presented as a single amount in the Consolidated Income Statement.
When classified as held for sale, the assets and liabilities of discontinued operations are presented separately in the Consolidated Balance Sheet. Cash flows
relating to discontinued operations are disclosed separately in Note 16, including operating, investing and financing activities. Further disclosures, including a
breakdown of the Income Statement components and earnings per share from discontinued operations, are provided in the Notes to the Financial Statements.
Revenue recognition
Summary
The Group provides independent global Cyber Security and Escode services.
Cyber Security
During the 16 month period ended 30 September 2024, as part of the Group’s ongoing transformation and the implementation of its new strategy,
the Group began to analyse Cyber Security revenue in greater detail by service type and capability, which replaced the previous revenue streams
of Global Managed Services (GMS) and Global Professional Services (GPS), as reflected within the prior year segmental information note (Note 3).
This change in analysis enables the Group to better focus on existing customers, as well as on simplifying operations and the core services it
provides. During the year ended 30 September 2025, the Group has updated its revenue recognition policy to better align with the revenue streams
disclosed in Note 3 (segmental information).
This update has no impact on the timing or recognition of revenue under IFRS 15 for the current year or prior period.
The revenue streams in relation to Cyber Security include:
•
Managed Services (MS) – operational cyber defence, scanning, simulation and managed security operations centres (SOCs) including Microsoft
XDR (Sentinel) propositions. In the prior period, this revenue stream was reported under the Global Managed Services revenue recognition
accounting policy, as disclosed in Note 1 of the 2024 Annual Report.
•
Digital Forensics and Incident Response (DFIR) – incident response including rapid global support during and after cyber attacks. In the prior
period, this revenue stream was reported under the Global Managed Services revenue recognition accounting policy, as disclosed in Note 1 of
the 2024 Annual Report.
•
Technical Assurance Services (TAS) and Consulting and Implementation (C&I) – global Cyber Security consultancy services. In the prior period,
these revenue streams were reported under the Global Professional Services revenue recognition accounting policy, as disclosed in Note 1 of
the 2024 Annual Report.
•
Other services – sale of own manufactured and/or resale of third party products. In the prior period, this revenue stream was reported under the
product sales revenue recognition accounting policy, as disclosed in Note 1 of the 2024 Annual Report.
Escode
The revenue streams in relation to Escode include:
•
Escrow contract services – securely maintain in “escrow” the long-term availability of business-critical software and applications.
•
Verification services – verify source code, and provide a fully managed secure service and result validation.
While the detailed recognition is contract specific, and set out in the table on pages 116 to 119, in most cases:
•
TAS, C&I and DFIR revenues are recognised on an input method over time.
•
MS revenues are bifurcated according to the separated performance obligations (see pages 116 and 117).
•
Other services revenues are recognised when control passes, usually on delivery.
•
Escrow contract revenues are recognised over time.
•
Verification services are recognised on the completion of the verification service.
Revenue is presented net of VAT and other sales related taxes.
Revenue is measured based on the consideration specified in a contract with a customer. The Group recognises revenue when it transfers control
over a good or service to a customer.
The Group does not have any material obligations in respect of returns, refunds or warranties. The impact of any financing component within
contracts with customers has been assessed and concluded to be immaterial.
On contract inception, the probability of collectability is assessed across the Group and, unless there is a significant change in facts and circumstances,
revenue is recognised. During the year or prior period, no instances have been identified where the collectability has had to be reassessed, nor have
there been any new contracts with customers for which the collection of consideration has not been assessed at inception as probable.
Financial statements
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 115

1 Material accounting policies continued
Revenue recognition continued
Detailed policies
The following table provides information about the nature and timing of the satisfaction of performance obligations in contracts with customers by
reportable segment, including significant payment terms, and the related revenue recognition policies.
Revenue stream
Nature
NCC Group plc — Annual report and accounts for the year ended 30 September 2025116
Notes to the Financial Statements continued
for the year ended 30 September 2025

1 Material accounting policies continued
Revenue recognition continued
Detailed policies continued
Revenue stream
Nature
Financial statements
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 117

1 Material accounting policies continued
Revenue recognition continued
Detailed policies continued
Revenue stream
Nature
NCC Group plc — Annual report and accounts for the year ended 30 September 2025118
Notes to the Financial Statements continued
for the year ended 30 September 2025

Contract costs
Contract costs comprise incremental sales commissions paid to sales agents or external third parties, which can be directly attributed to an acquired or
retained contract. Capitalised commission costs are amortised on a systematic basis that is consistent with the transfer to the customer of the services
when the related revenues are recognised. In all other cases, all internal and external costs of obtaining the contract are recognised as incurred.
Costs directly incurred in fulfilling a contract with a customer, which comprise labour hours on long-term contracts, are recognised as an asset to
the extent they are recoverable. Such costs are amortised on a systematic basis that is consistent with the transfer to the customer of the services
when the related revenues are recognised.
Accrued income (contract asset)
Accrued income represents the Group’s rights to consideration for work completed but not billed at the reporting date. Remaining balances are
transferred to receivables when the rights become unconditional.
Deferred revenue (contract liability)
Deferred revenue represents advanced consideration received from customers for which revenue is recognised over time as services are rendered.
Determination and presentation of operating segments
The Group determines and presents operating segments based on the information that is provided to the Board, which acts as the Group’s Chief
Operating Decision Maker (CODM) in order to assess performance and to allocate resources. An operating segment is a component of the Group
that engages in business activities from which it may earn revenues and incur expenses, including revenues and expenses that relate to
transactions with any of the Group’s other components. An operating segment’s results are reviewed regularly by the CODM to make decisions
about resources to be allocated to the segment and to assess its performance.
The Group reports its business in two key segments: the Cyber Security division and the Escode division. The two reporting segments provide
distinct types of service. Within each of the reporting segments the operating segments provide a homogeneous group of services. The operating
segments are grouped into the reporting segments on the basis of how they are reported to the CODM. Operating segments are aggregated into
the two reportable segments based on the types and delivery methods of services they provide, common management structures, and their
relatively homogeneous commercial and strategic market environments. Both of the Group’s divisions (segments) are run by a senior executive
team; those teams make all decisions on resource allocation, product development, marketing and areas for focus and investment.
Where the CODM continues to review the results of a discontinued operation, the related financial information is included within the segmental
disclosures in Note 3.
1 Material accounting policies continued
Revenue recognition continued
Detailed policies continued
Revenue stream
Nature
Financial statements
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 119

1 Material accounting policies continued
Allocation of central costs
Some costs are collected and managed in one location but are actually incurred on behalf of multiple operating segments or reporting segments.
These costs are then allocated to the reporting segments. The allocation is based on logical or activity driven cost algorithms. The allocation is
necessary to give an accurate picture of the consumption of resources by each reporting segment.
Where discontinued operations are identified, central overheads that continue to be incurred by the Group (and would be incurred by the Group
regardless of a planned disposal) are allocated entirely to continuing operations.
Individually Significant Items (ISIs)
ISIs are identified as those items or projects that based on their size and nature and/or incidence are assessed to warrant separate disclosure to
provide supplementary information to support the understanding of the Group’s financial performance. Where a project spans a reporting period(s)
the total project size and nature are considered in totality. ISIs typically comprise costs/profits/losses on material acquisitions/disposals/business
exits, fundamental reorganisation/restructuring programmes and other significant one-off events (including material impairments). ISIs are
considered to require separate presentation in the Notes to the Financial Statements in order to fairly present the financial performance of the
Group. See Note 4 for further information.
Foreign currencies
Transactions in foreign currencies are recorded using the appropriate monthly exchange rate ruling at the date of the transaction. Monetary assets
and liabilities denominated in foreign currencies are retranslated using the exchange rate ruling at the Balance Sheet date and the gains or losses
on translation are included in the Income Statement.
The assets and liabilities of overseas subsidiaries denominated in foreign currencies are retranslated at the exchange rate ruling at the Balance
Sheet date. The income statements of overseas subsidiary undertakings are translated at the average exchange rates for the financial year. Gains
and losses arising on the retranslation of overseas subsidiary undertakings are taken to the currency translation reserve. They are released to the
Income Statement upon disposal of the subsidiary to which they relate.
Derivative financial instruments and hedge accounting
The Group holds derivative financial instruments to hedge its foreign currency risk exposures. Derivatives are initially measured at fair value.
Subsequent to initial recognition, derivatives are measured at fair value, and changes therein are generally recognised in profit or loss. The Group
designates certain derivatives as hedging instruments to hedge the variability in cash flows associated with highly probable forecast transactions
arising from changes in foreign exchange rates. At inception of designated hedging relationships, the Group documents the risk management
objective and strategy for undertaking the hedge. The Group also documents the economic relationship between the hedged item and the hedging
instrument, including whether the changes in cash flows of the hedged item and hedging instrument are expected to offset each other.
Cash flow hedges
When a derivative is designated as a cash flow hedging instrument, the effective portion of changes in the fair value of the derivative is recognised
in OCI and accumulated in the hedging reserve. The effective portion of changes in the fair value of the derivative that is recognised in OCI is
limited to the cumulative change in fair value of the hedged item, determined on a present value basis, from inception of the hedge. Any ineffective
portion of changes in the fair value of the derivative is recognised immediately in profit or loss.
The Group designates only the change in fair value of the spot element of forward exchange contracts as the hedging instrument in cash flow
hedging relationships. The change in fair value of the forward element of forward exchange contracts (forward points) is separately accounted for
as a cost of hedging and recognised in a cost of hedging reserve within equity.
When the hedged forecast transaction subsequently results in the recognition of a non-financial item, the amount accumulated in the hedging
reserve and the cost of hedging reserve is included directly in the initial cost of the non-financial item when it is recognised.
For all other hedged forecast transactions, the amount accumulated in the hedging reserve and the cost of hedging reserve is reclassified to profit
or loss in the same period or periods during which the hedged expected future cash flows affect profit or loss.
If the hedge no longer meets the criteria for hedge accounting or the hedging instrument is sold, expires, is terminated or is exercised, then hedge
accounting is discontinued prospectively. When hedge accounting for cash flow hedges is discontinued, the amount that has been accumulated
in the hedging reserve remains in equity until, for a hedge of a transaction resulting in the recognition of a non-financial item, it is included in the
non-financial item’s cost on its initial recognition or, for other cash flow hedges, it is reclassified to profit or loss in the same period or periods as the
hedged expected future cash flows affect profit or loss. If the hedged future cash flows are no longer expected to occur, then the amounts that have
been accumulated in the hedging reserve and the cost of hedging reserve are immediately reclassified to profit or loss.
Defined contribution pensions
The Group operates a defined contribution pension scheme. The assets of the scheme are kept separate from those of the Group in an
independently administered fund. The amount charged as an expense in the Income Statement represents the contributions payable to the scheme
in respect of the accounting period.
Short-term benefits
Short-term colleague benefit obligations are measured on an undiscounted basis and are expensed as the related service is provided. A liability is
recognised for the amount expected to be paid under short-term cash bonus or profit-sharing plans if the Group has a present legal or constructive
obligation to pay this amount as a result of past service provided by the colleague and the obligation can be estimated reliably.
Share-based payment transactions
Share-based payments in which the Group receives goods or services as consideration for its own equity instruments are accounted for as equity
settled share-based payment transactions, regardless of how the equity instruments are obtained by the Group.
The grant date fair value of share-based payment awards granted to colleagues is recognised as a colleague expense, with a corresponding
increase in equity, over the period that the colleagues become unconditionally entitled to the awards. The fair value of the options granted is
measured using an option valuation model, taking into account the terms and conditions upon which the options were granted.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025120
Notes to the Financial Statements continued
for the year ended 30 September 2025

1 Material accounting policies continued
Share-based payment transactions continued
The amount recognised as an expense is adjusted to reflect the actual number of awards for which the related service and non-market vesting
conditions are expected to be met, such that the amount ultimately recognised as an expense is based on the number of awards that do meet the
related service and non-market performance conditions at the vesting date. For share-based payment awards with non-vesting conditions and
market conditions, the grant date fair value of the share-based payment is measured to reflect such conditions and there is no true-up for
differences between expected and actual outcomes.
Share-based payment transactions in which the Group receives goods or services by incurring a liability to transfer cash or other assets that is
based on the price of the Group’s equity instruments are accounted for as cash settled share-based payments. The fair value of the amount payable
to colleagues is recognised as an expense, with a corresponding increase in liabilities, over the period in which the colleagues become unconditionally
entitled to payment. The liability is remeasured at each Balance Sheet date and at settlement date. Any changes in the fair value of the liability are
recognised as personnel expense within the Income Statement.
Where the Company grants options over its own shares to the colleagues of a subsidiary it recognises in its individual Financial Statements, an
increase in the cost of investment in that subsidiary equivalent to the equity settled share-based payment charge is recognised in respect of that
subsidiary in its consolidated Financial Statements with the corresponding credit being recognised directly in equity.
Holiday or vacation pay
The Group recognises a liability in the Balance Sheet for any earned but not yet taken holiday entitlement for staff. Earned holiday is calculated
on a straight-line basis over a holiday year, which can vary by business unit. Taken holiday is based on actually taken holiday. Any movement in the
liability between the opening and closing balance in the period is recorded as a colleague cost or a reduction in colleague costs in the Income
Statement in the period.
Borrowings
Borrowings are recognised initially at fair value less attributable transaction costs. Subsequent to initial recognition, borrowings are stated at
amortised cost with any difference between cost and redemption value being recognised in the Income Statement over the period of the borrowings
on an effective interest basis.
Finance costs
Finance costs are recognised within the Income Statement in the period in which they are incurred.
Provisions
Provisions are determined by discounting the expected future cash flows at a pre-tax rate that reflects current market assessments of the time
value of money and the risks specific to the liability. The unwinding of the discount is recognised as finance cost.
Taxation
Taxation on the profit or loss for the year/period comprises current and deferred taxation. Taxation is recognised in the Income Statement except
to the extent that it relates to items recognised directly in equity, in which case it is recognised in equity.
Current tax is the expected tax payable or receivable on the taxable income or loss for the period, using tax rates enacted or substantively enacted
at the Balance Sheet date, and any adjustment to tax payable in respect of previous years.
Deferred tax is provided on temporary differences between the carrying amounts of assets and liabilities for financial reporting purposes and
the amounts used for taxation purposes. The following temporary differences are not provided for: the initial recognition of goodwill; the initial
recognition of assets or liabilities that affect neither accounting nor taxable profit other than in a business combination; and differences relating to
investments in subsidiaries to the extent that they will probably not reverse in the foreseeable future. The amount of deferred tax provided is based
on the expected manner of realisation or settlement of the carrying amount of assets and liabilities, using tax rates enacted or substantively enacted
at the Balance Sheet date. A deferred tax asset is recognised only to the extent that it is probable that future taxable profits will be available against
which the temporary difference can be utilised.
Deferred tax assets and liabilities are offset where there is a legally enforceable right to offset current tax assets and liabilities and where the
deferred tax balances relate to the same taxation authority. Current tax assets and tax liabilities are offset where the entity has a legally enforceable
right to offset and intends either to settle on a net basis, or to realise the asset and settle the liability simultaneously.
UK research and development expenditure credits (RDECs) are recognised for the UK tax jurisdiction within administrative expenses and R&D US
tax credits within income tax for the US tax jurisdiction.
Intra-group financial instruments
From time to time, the Company enters into financial guarantee contracts to guarantee the indebtedness of its subsidiaries. The Company accounts
for these contracts under IFRS 9. Financial guarantee contracts are initially measured at fair value and subsequently measured at the higher of fair
value and the expected credit loss.
Intercompany loans within the Company are repayable on demand and are classified as financial assets. Interest income is recognised using the
effective interest method in accordance with IFRS 9.
Cash and cash equivalents
Cash and cash equivalents comprise cash in hand and deposits repayable on demand. Bank overdrafts that are repayable on demand form part of
the Group’s cash management and are included as a component of cash and cash equivalents for the purpose only of the Statement of Cash Flows.
These facilities are considered to form an integral part of the treasury management of the Group and can fluctuate from positive to negative
balances during the period.
Financial statements
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 121

1 Material accounting policies continued
Treasury shares
The Group operates an Employee Share Ownership Trust (ESOT), which holds shares for the benefit of employees under the Group’s share-based
payment schemes. Shares held by the ESOT are classified as treasury shares in the consolidated Financial Statements and are presented as a deduction
from equity. Consideration received for the sale of such shares is also recognised in equity, with any difference between the proceeds from sale and the
original cost being taken to reserves. No gain or loss is recognised in the Income Statement on the purchase, sale, issue or cancellation of equity shares.
To the extent the Company makes funds available to the ESOT under the terms of a formal loan arrangement, this loan arrangement is recognised
as an intergroup loan receivable within current assets. The recoverability of this loan receivable is reviewed at each reporting date, and where
objective evidence of impairment exists, an impairment loss is recognised in accordance with IFRS 9 ‘Financial Instruments’.
2 Critical accounting judgements and key sources of estimation uncertainty
The preparation of Financial Statements requires management to exercise judgement in applying the Group’s accounting policies. Different
judgements would have the potential to change the reported outcome of an accounting transaction or Balance Sheet. It also requires the use of
estimates that affect the reported amounts of assets, liabilities, income and expenses. Actual results may differ from these estimates. Estimates and
underlying assumptions are reviewed on an ongoing basis, with changes recognised in the period in which the estimates are revised and in any
future periods affected. The table below shows the area of critical accounting judgement and estimation that the Directors consider material and
that could reasonably change significantly in the next year.
Accounting area
Accounting judgement?
Accounting estimate?
Carrying value of goodwill
No
Yes
2.1 Critical accounting judgements
No critical accounting judgements have been made in applying accounting policies that have the most significant effects on the amounts
recognised in the consolidated Financial Statements.
2.2 Key sources of estimation uncertainty
Information about estimation uncertainties that have a significant risk of resulting in a material adjustment to the carrying values of assets and
liabilities within the next financial year is addressed below.
While every effort is made to ensure that such estimates and assumptions are reasonable, by their nature they are uncertain, and as such changes
in estimates and assumptions may have a material impact. Estimates and assumptions used in the preparation of the Financial Statements are
continually reviewed and revised as necessary as at each reporting date.
The Directors have considered the impact of climate change on the following estimation uncertainties. Due to nature of the climate change impact
on the Group, no material impact has been identified.
The key sources of estimation uncertainty disclosed in the Group’s consolidated Financial Statements for the 16 month period ended 30 September 2024
remain applicable for the year ended 30 September 2025. These primarily relate to the carrying value of goodwill.
Carrying value of goodwill
The Group has significant goodwill balances as at 30 September 2025, arising from acquisitions in previous years. The carrying value of goodwill at
30 September 2025 is £46.3m (30 September 2024: £156.5m). Goodwill is tested for impairment annually on 30 September. The Group allocates
goodwill to cash generating units (CGUs), representing the lowest level of asset groupings that generate independent cash inflows.
For the year ended 30 September 2025, tests for impairment are based on the calculation of a fair value less costs to sell (FVLCTS) which has been used to
establish the recoverable amount of each CGU. The FVLCTS valuation of each standalone CGU has been calculated by determining sustainable earnings,
which are based on the Adjusted EBITDA
1
, and applying a reasonable market multiple on the calculated sustainable earnings. The sustainable earnings
figures used in this calculation include a key assumption regarding achievable forecast revenue. Reasonable changes in the key assumptions used to
determine the sustainable earnings can materially impact the outcomes of the impairment reviews and the impairment charges recognised. An analysis of
the Group’s goodwill, the methodology used to test for impairment and sensitivity analysis relating to the sustainable earnings are set out in Note 11.
Regarding the prior period, the two principal areas of estimation uncertainty (whereby reasonable changes in their assumptions could materially
impact their respective outcomes) related to:
•
The impairment of goodwill within the North America Cyber Security CGU
•
The reallocation of goodwill within the Europe Cyber Security CGU
Impairment of goodwill – North America Cyber Security
This estimate involved a calculation of sustainable earnings, within which the gross margin used was a key assumption, which had the potential to
result in material adjustments to the carrying amounts of goodwill. No impact was noted in the current year, given the full goodwill balance was
impaired in the prior period.
Reallocation of goodwill – Europe Cyber Security
This estimate involved an allocation of goodwill between the Fox Crypto CGU and the remaining Europe Cyber Security CGU. This was based on a calculation
of adjusted relative fair values, within which the revenue used was a key assumption. The goodwill allocated to the Fox Crypto CGU was reclassified as an
asset held for sale at 30 September 2024 and was derecognised on 28 March 2025 following the completion of the disposal of Fox Crypto (see Note 31).
No further impairments or changes to goodwill allocations have occurred in the year ended 30 September 2025. For further information on the
Group’s impairment methodology and sensitivity analyses, refer to Note 11.
1 Revenue at constant currency, Adjusted EBITDA, and net debt excluding lease liabilities are Alternative Performance Measures (APMs) rather than IFRS measures. For an explanation of
APMs and adjusting items, including a reference to the reconciliation with statutory information, please see Appendix 1.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025122
Notes to the Financial Statements continued
for the year ended 30 September 2025

3 Segmental information
The Group is organised into the following two (2024: two) reportable segments: Cyber Security and Escode. The two reporting segments provide
distinct types of service. Within each of the reporting segments the operating segments provide a homogeneous group of services. These operating
segments are deemed to hold similar economic characteristics. The operating segments are grouped into the reporting segments on the basis of
how they are reported to the Chief Operating Decision Maker (CODM) for the purposes of IFRS 8 ‘Operating Segments’, which is considered to be
the Board of Directors of NCC Group plc.
Operating segments are aggregated into the two reportable segments based on the types and delivery methods of services they provide, common
management structures, and their relatively homogeneous commercial and strategic market environments. Performance is measured based on
reporting segment profit, with interest and tax not allocated to business segments. There are no intra-segment sales.
During the year, the Group’s Escode business has been classified as a discontinued operation as described in Note 16. As the CODM continues
to assess the performance of this operation, its results are included in the segmental information presented below.
The central and head office cost centre is not considered to be a separate operating segment nor part of any other operating segment as it does
not generate any revenues. Included within central and head office are assets and liabilities not specifically allocated to the reporting segments and
include investments, head office tangible and intangible assets, deferred tax assets and liabilities, right-of-use assets and associated lease liabilities,
Parent Company cash balances, the RCF and certain provisions. Central and head office assets and liabilities are disclosed to allow a reconciliation
back to the Group’s assets and liabilities.
Revenue
—
238.9
238.9
66.5
305.4
Cost of sales
—
(150.5)
(150.5)
(19.0)
(169.5)
Gross profit
—
88.4
88.4
47.5
135.9
Gross margin %
—
37.0%
37.0%
71.4%
44.5%
Administrative expenses*
(11.2)
(68.4)
(79.6)
(9.6)
(89.2)
Share-based payments
(2.6)
(0.2)
(2.8)
(0.2)
(3.0)
Depreciation
(2.5)
(6.6)
(9.1)
(0.7)
(9.8)
Amortisation of software and development costs
(0.6)
(1.2)
(1.8)
(0.3)
(2.1)
Amortisation of acquired intangibles
(2.1)
(1.0)
(3.1)
(5.0)
(8.1)
Individually Significant Items (Note 4)
(5.6)
(3.9)
(9.5)
—
(9.5)
Total administrative expenses
(24.6)
(81.3)
(105.9)
(15.8)
(121.7)
Profit on disposal of Fox Crypto
11.4
—
11.4
—
11.4
Operating (loss)/profit
(13.2)
7.1
(6.1)
31.7
25.6
Finance costs
(5.0)
Profit before taxation
20.6
Taxation
(3.5)
Profit for the year attributable to owners of the Company
17.1
* In accordance with IFRS 5, £6.8m of head office overheads incurred by the discontinued Escode division during the year have been reallocated to central and head office within
continuing operations. This is due to the fact that if an operation is disposed of, the relevant central overheads may not decrease in the short term.
Financial statements
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 123

3 Segmental information continued
Revenue
—
3 42.1
342.1
87. 4
429.5
Cost of sales
—
(224.1)
(224.1)
(26.7)
(250.8)
Gross profit
—
118 .0
118.0
60.7
178.7
Gross margin %
—
34.5%
34.5%
69.5%
41.6%
Administrative expenses*
(13.0)
(97.3)
(110.3)
(14.5)
(124.8)
Share-based payments
(2.0)
(0.1)
(2.1)
(0.2)
(2.3)
Depreciation
(3.5)
(9.4)
(12.9)
(0.6)
(13.5)
Amortisation of software and development costs
(1.8)
(1.5)
(3.3)
—
(3.3)
Amortisation of acquired intangibles
(4.0)
(1.4)
(5.4)
( 7.1)
(12.5)
Individually Significant Items (Note 4)
—
(41.4)
(41.4)
(0.1)
(41.5)
Total administrative expenses
(24.3)
(151.1)
(175.4)
(22.5)
(197.9)
Operating (loss)/profit
(24.3)
(3 3.1)
(5 7.4)
38.2
(19.2)
Finance costs
(8.3)
Loss before taxation
(27.5)
Taxation
(5.0)
Loss for the period attributable to owners of the Company
(32.5)
* In accordance with IFRS 5, £9.6m of head office overheads incurred by the discontinued Escode division during the prior period have been reallocated to central and head office within
continuing operations, restating the prior period Escode and central and head office administrative expenses. This is due to the fact that if an operation is disposed of, the relevant
central overheads may not decrease in the short term. See Note 16 for further details.
Additions to non-current assets
3.5
7.8
11.3
0.3
11.6
Reportable segment assets
28.9
116.4
145.3
198.0
343.3
Reportable segment liabilities
(32.0)
(65.0)
(97.0)
(39.8)
(136.8)
Additions to non-current assets
4.0
12.6
16.6
1.6
18.2
Reportable segment assets
37.5
183.8
221.3
198.8
42 0.1
Reportable segment liabilities
(113.0)
(77.2)
(190.2)
(24.7)
(214.9)
The net book value of non-current assets is analysed geographically as follows:
UK
57. 5
57.5
APAC
4.8
5.4
North America
1.6
2.0
Europe
11.3
8.6
Total non-current assets
75.2
73.5
UK
24.5
28.4
APAC
—
—
North America
156.4
162.3
Europe
7.6
9.4
Total non-current assets*
188.5
2 0 0.1
* Non-current assets associated with the Escode division have been reclassified to current assets given it meets the definition of an asset held for sale as at 30 September 2025.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025124
Notes to the Financial Statements continued
for the year ended 30 September 2025

3 Segmental information continued
Revenue is disaggregated by primary geographical market, by category and by timing of revenue recognition as follows:
Continuing operations
Discontinued operations
UK
125.8
158.9
29.3
36.5
155.1
195.4
APAC
8.6
14.4
0.1
—
8.7
14.4
North America
56.7
90.7
32.9
45.5
89.6
136.2
Europe
47.8
78 .1
4.2
5.4
52.0
83.5
Total revenue
238.9
3 42.1
66.5
87.4
305.4
429.5
Continuing operations
Discontinued operations
Services
236.0
337.5
66.5
87.4
302.5
424.9
Products
2.9
4.6
—
—
2.9
4.6
Total revenue
238.9
3 42.1
66.5
87.4
305.4
429.5
Continuing operations
Discontinued operations
Services and products transferred over time
219.6
322.1
42.9
5 7.9
262.5
380.0
Services and products transferred at a point in time
19.3
20.0
23.6
29.5
42.9
49.5
Total revenue
238.9
3 42.1
66.5
87.4
305.4
429.5
The total future revenue from the remaining term of the Group’s continuing operations contracts, for performance obligations not yet delivered as of
30 September 2025, is £232.8m (2024 restated*: £224.2m). The equivalent from discontinued operations is £24.7m (2024: £22.4m). The Group
expects this revenue to be recognised over the respective contract terms between FY26 and FY30. The prior period amounts have been restated
following the Escode division being classed as a discontinued operation in 2025.
* The prior period number has been restated, following a review that identified £4.8m had been incorrectly included.
As part of the Group’s ongoing transformation and the implementation of its new strategy, Cyber Security revenue continues to be analysed in
greater detail by service type and capability. This change in analysis enables the Group to better focus on existing customers, as well as on
simplifying operations and the core services provided. The analysis is as follows:
Technical Assurance Services (TAS)
88.4
141.4
Consulting and Implementation (C&I)
48.5
55.2
Managed Services (MS)
76.4
91.8
Digital Forensics and Incident Response (DFIR)
13.1
20.6
Other services
12.5
33.1
Total Cyber Security revenue
238.9
3 42.1
In compliance with IFRS 8, the Group had one external customer contributing £33.7m of revenue for the year ended 30 September 2025,
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 125

3 Segmental information continued
Revenues from the Escode business, classified as a discontinued operation for the year ended 30 September 2025, have been analysed by service line:
Discontinued operations
2025
£m
2024
£m
Escrow contracts 43.0 57. 2
Verification services 23.5 30.2
Total Escode revenue 66.5 87.4
4 Individually Significant Items (ISIs)
The Group separately identifies items as Individually Significant Items. Each of these is considered by the Directors to be sufficiently unusual in
terms of nature or scale so as not to form part of the underlying performance of the business. They are therefore separately identified and excluded
from adjusted results (as explained in Appendix 1).
Fundamental reorganisation costs
a
3.9
9.4
Costs associated with strategic review of Escode business
b
3.8
0.1
Costs associated with strategic review of Cyber business
c
1.8
—
Profit on disposal of DetACT/DDI
d
—
(1.5)
North America Cyber Security goodwill impairment
e
—
31.9
Transaction costs of Fox Crypto
f
—
1.6
Total ISIs (excluding profit on disposal of Fox Crypto)
9.5
41.5
Profit on disposal of Fox Crypto
f
(11.4)
—
Total ISIs
(1.9)
41.5
(a) Fundamental reorganisation costs
In order to implement the next chapter of the Group’s strategy to enhance future growth, certain strategic actions are required including reshaping
the Group’s global delivery and operational model. This reshaping is considered a fundamental reorganisation and restructuring programme that
will span reporting periods, and the total project size and nature are considered in totality. The programme commencement was accelerated
following the Group experiencing specific market conditions that validated the rationale of the next chapter of the Group’s strategy. The programme
included three planned phases (with phase 3 remaining in progress as at 30 September 2025) as follows:
•
Phase 1 (March–April 2023) – initial reduction in global delivery and operational headcount, and c.7% reduction of the Group’s global headcount.
•
Phase 2 (June–September 2023) – a further reduction in the global delivery, operational and corporate functions’ headcount prior to opening our
offshore operations and delivery centre in Manila.
•
Phase 3 (October 2023–December 2025) – the Group’s intention remains for phase 3 of the reorganisation to complete by December 2025;
however, this will continue to be monitored as the transformation strategy progresses as we ensure the operating model is market aligned, and
delivery is focused to support the underlying Cyber Security business strategy.
Costs of £3.9m (2024: £9.4m) and a cash outflow of £3.8m (2024: £6.0m) have been incurred in relation to the implementation of this
reorganisation. These costs primarily consist of severance payments, associated taxes, and professional fees for advisory and legal services.
The reorganisation costs include £0.3m (2024: £3.4m) related to property rationalisation. This comprises £0.1m (2024: £3.5m) in property closure
impairment charges and £nil (2024: £0.4m) in fixed asset impairment charges, both relating to non-current assets. Additionally, £nil (2024: £0.7m)
relates to non-rental provision costs.
Offsetting these costs are £0.2m (2024: £0.8m) in non-current asset impairment reversals and £nil (2024: £0.4m) in provision reversals. These
costs and reversals reflect the impact of a reduction in the Group’s global headcount, leading to decreased office utilisation and a re-evaluation of
the global property portfolio.
It is expected that costs will continue to be incurred into FY26. The Group will need to exercise judgement in assessing whether restructuring items
should be classified as ISIs. This assessment will consider the nature of the item, its cause, the scale of its impact on reported performance, the
resulting benefits, and alignment with the original reorganisation programme’s principles and plans.
(b) Costs associated with strategic review of Escode business
In February 2023, the Group announced the commencement of a strategic review of its Escode business and other core and non-core assets.
The review of the Escode business was subsequently stopped in June 2023, which was reinforced within the Group’s 2024 Annual Report and
Accounts. However, during the year ended 30 September 2025, the Group confirmed that it was exploring a number of options for its Escode
business, including a potential sale. This was subsequently reinforced by the Group’s trading update issued on 21 October 2025.
Professional fees of £3.8m (2024: £0.1m) have been incurred during the year, primarily relating to advisory support services. These costs meet the
Group’s policy for inclusion as ISIs, having been incurred as part of the wider restructuring and reorganisation activities ongoing within the Group.
Costs of £3.8m (2024: £0.1m) and a cash outflow of £1.8m (2024: £0.1m) have been incurred.
(c) Costs associated with strategic review of Cyber business
On 28 April 2025, the Group confirmed that it was investigating a number of options for its Escode business including a potential sale. On 16 July 2025
the Company confirmed that it was in the early stages of commencing a review of all strategic options for its Cyber business in the event the sale of
the Escode business is agreed (the "Cyber Review"). This was subsequently reinforced by the Group’s trading update issued on 21 October 2025.
This process remains at a very early stage, and as at 30 September 2025, no decisions had been made regarding which option will be pursued.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025126
Notes to the Financial Statements continued
for the year ended 30 September 2025

4 Individually Significant Items (ISIs) continued
(c) Costs associated with strategic review of Cyber business continued
During the year the Group has incurred professional fees of £1.8m (2024: £nil) in relation to the Cyber review, primarily relating to advisory support
services. Costs of £1.8m (2024: £nil) and a cash outflow of £0.9m (2024: £nil) have been incurred.
(d) Profit on disposal of DetACT/DDI
In the prior period, on 30 April 2024, the Group disposed of its DetACT business for cash consideration of £8.2m. A profit of £1.6m was recognised
in relation to this disposal. There has been no impact in the current year.
On 31 December 2022, the Group disposed of its DDI business for a total consideration of £5.8m, consisting of a cash payment of £2.0m and
contingent consideration of £3.8m. This disposal resulted in a profit of £nil (2024: £nil) directly attributable to the DDI business sale. Further details
are available in the 2024 Annual Report. The Group classified these proceeds under ISIs due to the material profit on disposal. During the period
ended 30 September 2024 the £3.8m contingent consideration identified in 2023 was received, and a £0.1m reclassification related to the final
tranche payment was recorded. No additional contingent consideration payments were received in the year ended 30 September 2025.
(e) North America Cyber Security goodwill impairment
Following the impairment review of goodwill as at 31 May 2024, an impairment of £31.9m was recognised in North America Cyber Security for the
period ended 30 September 2024.
No further impairment has been recognised in the year ended 30 September 2025. For further details, please refer to Note 11.
(f) Profit on disposal/transaction costs of Fox Crypto B.V.
On 28 March 2025, the Group completed the disposal of Fox Crypto B.V. to CR Group Nordic AB for a gross cash consideration of £65.6m.
A gain on disposal of £11.3m has been recognised within ISIs in the year ended 30 September 2025, calculated as cash consideration of £65.6m,
less net assets disposed of £52.3m and transaction costs of £2.0m incurred in the year.
An additional £1.5m of related transaction costs were recognised in ISIs in the 16 month period ended 30 September 2024. After accounting for
these, the total gain on disposal amounts to £9.8m. Refer to Note 31 for further details, including a reconciliation of the gain on disposal. A further
£0.1m of other transaction costs was included in the prior period that did not relate to Fox Crypto.
As this represents a material gain on disposal, this has been classified as a separate line item within the Income Statement.
Since completion of the deal, £0.1m (2024: £nil) of income has been earned under a six month transactional services agreement (TSA), bringing
the overall impact relating to Fox Crypto to £11.4m.
5 Expenses and auditor’s remuneration
Audit of the Parent and consolidated annual Financial Statements
1.5
Audit of Financial Statements of subsidiaries pursuant to legislation
0.1
Other assurance services (see Audit Committee Report on page 71 for further information)
0.1
Total audit
1
operations
Group
Amortisation of software costs (Note 11)
1.4
—
1.4
Amortisation of acquired intangibles (Note 11)
3.1
5.0
8.1
Amortisation of development costs (Note 11)
0.4
0.3
0.7
Depreciation of property, plant and equipment (Note 12)
4.1
0.2
4.3
Depreciation of right-of-use assets (Note 13)
5.0
0.5
5.5
Loss on disposal of non-current assets (Note 12)
1.2
—
1.2
Other impairment charge of non-current assets (Note 13)
0.3
—
0.3
Impairment reversal of non-current assets (Note 13)
(0.2)
—
(0.2)
Profit on disposal of Fox Crypto B.V. (Note 4)
(11.4)
—
(11.4)
Individually Significant Items (ISIs) (Note 4)
9.5
—
9.5
Net impairment gains on financial and contract assets (Note 21)
(0.3)
—
(0.3)
Foreign exchange losses
2.7
—
2.7
Research and development UK tax credits
0.4
—
0.4
Gain on disposal following derecognition of lease liabilities
(1.9)
—
(1.9)
Financial statements
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 127

5 Expenses and auditor’s remuneration continued
Auditor’s remuneration
Group
2024
£m
Profit/(loss) before taxation is stated after charging:
Amounts receivable by auditor and its associates in respect of:
Audit of the Parent and consolidated annual Financial Statements 1.6
Audit of Financial Statements of subsidiaries pursuant to legislation 0.1
Other assurance services (see Audit Committee Report on page 71 for further information) 0.1
Total audit
1
1.8
Continuing
operations
2024
£m
Discontinued
operations
2024
£m
Group
2024
£m
Amortisation of development costs (Note 11)
1.3
—
1.3
Amortisation of software costs (Note 11)
2.0
—
2.0
Amortisation of acquired intangibles (Note 11)
5.4
7.1
12.5
Depreciation of property, plant and equipment (Note 12)
5.1
0.3
5.4
Depreciation of right-of-use assets (Note 13)
7.8
0.3
8 .1
Other impairment charge of non-current assets
0.5
0.4
0.9
Individually Significant Items (ISIs) (Note 4)
41.4
0.1
41.5
Net impairment losses on financial and contract assets (Notes 14 and 21)
0.4
—
0.4
Cost of inventories recognised as an expense
0.8
—
0.8
Foreign exchange losses
1.9
—
1.9
Research and development UK tax credits
(0.3)
(0.2)
(0.5)
Profit on disposal of right-of-use assets
(0.1)
—
(0.1)
1 The only non-audit services provided by the auditor were the interim review for the half year ended 31 March 2025, for which the fee was £80,000 (31 May 2024 interim review:
£80,000), and access to a generic online accounting manual, for which the fee was £2,000 (2024: £2,000).
6 Staff numbers and costs
Directors’ emoluments are disclosed in the Remuneration Committee Report. Total aggregate emoluments of the Directors in respect of the year
ended 30 September 2025 were £2.5m (2024: £3.4m). Employer contributions to pensions for Executive Directors for qualifying periods were
£40,000 (2024: £50,000). The Company provided pension payments in lieu of pension contributions for two (2024: three) Executive Directors
during the year ended 30 September 2025. The aggregate net value of share awards granted to the Directors in the year was £nil (2024: £3.7m).
The net value has been calculated by reference to the closing mid-market price of the Company’s shares on the day before the date of grant. During
the year, no (2024: 5,000) share options were exercised by Directors and their gain on exercise of share options was £nil (2024: £5,000).
The average monthly number of persons employed by the Group during the year, including Executive Directors and discontinued operations, is
analysed by category as follows:
2025
2024
Operational
1,642
1,733
Administration
498
468
Total
2 ,1 4 0
2,201
The aggregate payroll costs (inclusive of Executive Directors and discontinued operations) of these persons were as follows:
Wages and salaries
177.2
247. 4
Share-based payments (Note 24)
2.1
2.3
Social security costs
16.6
25.9
Other pension costs (Note 28)
7.4
8.0
Total payroll costs
203.3
283.6
NCC Group plc — Annual report and accounts for the year ended 30 September 2025128
Notes to the Financial Statements continued
for the year ended 30 September 2025

7 Finance costs
Interest payable on bank loans and overdrafts
3.8
6.6
Interest expense on lease liabilities *
1.1
1.6
Total Finance costs
4.9
8.2
* Comparatives have been restated to present Escode as a discontinued operation. Refer to Note 16 for further details.
The above finance costs relate entirely to liabilities not at fair value through profit or loss.
8 Taxation
Recognised in the Income Statement
Current year/period
1.7
1.6
Overseas current tax for the year/period
2.5
6.0
Impact of prior period US R&D tax credits
(1.0)
(1.8)
Adjustments in respect of prior periods
1.0
(2.6)
Total current tax
4.2
3.2
Origination and reversal of temporary differences
(0.9)
(1.2)
Impact of prior period US R&D tax credits
0.3
(0.2)
Adjustment to tax expense in respect of prior periods
(0.1)
3.2
Total deferred tax
(0.7)
1.8
Total tax expense
3.5
5.0
Loss from continuing operations
(1.9)
1.6
Profit from discontinued operations
5.4
3.4
3.5
5.0
* Comparatives have been restated to present Escode as a discontinued operation. See Note 16 for further details.
Reconciliation of taxation
20.6
(27. 5)
Current tax using the UK effective corporation tax rate of 25% (2024: 25%)
5.2
(6.9)
Profit on disposal of Fox Crypto
(2.8)
—
Total tax expense
3.5
5.0
* Comparatives have been restated to present Escode as a discontinued operation. See Note 16 for further details.
During the prior period, a deferred tax asset of £7.1m was generated in North America, which was derecognised. This reflected an assessment of
the recoverability of the Group’s North American deferred tax assets, based on latest available forecasts and expectations of future taxable profits
in the region. The decision not to recognise these assets was made in accordance with IAS 12 ‘Income Taxes’, which required that deferred tax
assets be recognised only to the extent it is probable that sufficient taxable profits will be available to utilise the deductible temporary differences.
As of 30 September 2024, the criteria for recognition were not met. This recognition criterion continued not to be met as at 30 September 2025,
with no changes identified from the prior-period assessment during the year. The unrecognised deferred tax asset as at 30 September 2025 is £6.1m.
Financial statements
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 129

8 Taxation continued
Reconciliation of taxation continued
As this prior period derecognition related to the historical performance of our North America Cyber Security business, where the recovery in
demand was less consistent than expected, it was directly tied to the prior period goodwill impairment of £31.9m at 31 May 2024 (taken to ISIs;
see Note 4). The Group included this adjustment as an adjusted item within the taxation line in the Income Statement. For reconciliation to statutory
measures, please see page 53. No current year impact has been noted.
The UK government introduced legislation in the Finance Bill 2021 to increase the main rate of UK corporation tax from 19% to 25% with effect from
1 April 2023. The legislation was substantively enacted on 24 May 2021 and therefore UK deferred tax balances as at the Balance Sheet date are
generally measured at a rate of 25%.
Tax uncertainties
The tax expense reported for the current year and prior period is affected by certain positions taken by management where there may be
uncertainty. The most significant source of uncertainty arises from claims for US R&D tax credits relating to the current and previous periods.
Uncertainty relates to the interpretation of US legislation applicable to periods where the statute of limitations has not expired. As at 30 September 2025,
the gross cumulative amount of US R&D tax credits amounts to £9.0m (2024: £9.5m), of which a cumulative tax benefit has been recognised of
£7.6m (2024: £6.7m). The unrecognised benefit is £1.4m (2024: £2.8m).
9 Dividends
Dividend policy
Dividends are the way the Company makes distributions from the Company’s distributable reserves to shareholders. The Board determines the
dividend level at each half-year reporting period (i.e. 31 March and 30 September). If an interim or final dividend is declared, the Company pays the
dividend approximately eight weeks after the results announcement. A dividend is paid for each share, with the amount received depending on the
number of shares owned.
Dividends paid and recognised in the year/period
9.2
14.5
Dividends recognised but not paid in the year/period
—
9.8
Dividends per share paid and recognised in the year/period
3.0p
4.65p
Dividends per share recognised but not paid in the year/period
—
3.15 p
Dividends per share proposed but not recognised in the year/period
3.15p
1.50p
An interim dividend of £9.8m for the period ended 30 September 2024 of 3.15p per ordinary share was paid on 1 October 2024. It was recognised in the
prior period but not paid until the current financial year and was therefore included within non-trade payables as at 30 September 2024 (see Note 17).
The final dividend of £4.6m for the period ended 30 September 2024 of 1.50p per ordinary share was recommended by the Board on 5 December 2024
and was subsequently paid on 4 April 2025.
The interim dividend of £4.6m for the year ended 30 September 2025 of 1.50p per ordinary share was recommended by the Board on 19 June 2025
and was subsequently paid on 1 August 2025.
The proposed final dividend for the year ended 30 September 2025 of 3. 15p per ordinary share was recommended by the Board on 8 December 2025
and will be paid on 10 April 2026 to shareholders on the register at the close of business on 13 March 2026. The ex-dividend date is 12 March 2026. The
dividend will be recommended to shareholders at the AGM on 3 March 2026. The dividend has not been included as a liability as at 30 September 2025.
10 (Loss)/earnings per ordinary share
Loss for the year/period from continuing operations
(9.1)
(67.2)
Profit for the year/period from discontinued operations
26.2
34.7
Profit/(loss) for the year/period attributable to owners of the Company
17.1
(32.5)
Weighted average number of shares in issue
314.8
313.3
Less: weighted average holdings by Group ESOT
(7.7)
(1.6)
Basic weighted average number of shares in issue
307.1
311.7
Dilutive effect of share options
5.2
1.5
Diluted weighted average shares in issue
312.3
313.2
NCC Group plc — Annual report and accounts for the year ended 30 September 2025130
Notes to the Financial Statements continued
for the year ended 30 September 2025

10 (Loss)/earnings per ordinary share continued
For the purposes of calculating the dilutive effect of share options, the average market value is based on quoted market prices for the period during
which the options are outstanding. Where losses have been reported in the current year or prior period, the diluted EPS does not include the
dilutive effect of share options.
From continuing operations attributable to the ordinary equity holders of the Company
(3.0)
(21.6)
From discontinued operations attributable to the ordinary equity holders of the Company
8.5
11.1
From continuing operations attributable to the ordinary equity holders of the Company
(3.0)
(21.6)
From discontinued operations attributable to the ordinary equity holders of the Company
8.4
11.1
11 Goodwill and intangible assets
At 1 June 2023
324.6
21.2
13.8
179.2
214.2
538.8
Additions
—
1.4
1.0
0.2
2.6
2.6
Disposals (see Note 31)
(5.9)
(0.6)
(9.9)
—
(10.5)
(16.4)
Assets classified as held for sale (Note 16)
(52.1)
—
(2.5)
—
(2.5)
(54.6)
Effects of movements in exchange rates
(9.4)
(0.2)
(0.1)
(9.4)
(9.7)
(19.1)
At 30 September 2024
257.2
21.8
2.3
170.0
19 4.1
451.3
Additions
—
0.4
—
—
0.4
0.4
Reclassification
—
(0.8)
0.2
0.6
—
—
Assets classified as held for sale (Note 16)
(110.2)
(3.8)
—
(95.1)
(98.9)
(209.1)
Effects of movements in exchange rates
—
—
0.6
1.0
1.6
1.6
At 30 September 2025
147.0
17.6
3.1
76.5
97.2
244.2
At 1 June 2023
(68.8)
(14.5)
(11.1)
(77.7)
(103.3)
(172.1)
Charge for period
—
(2.0)
(1.3)
(12.5)
(15.8)
(15.8)
Impairment
(31.9)
—
—
—
—
(31.9)
Disposals
—
—
8.8
—
8.8
8.8
Assets classified as held for sale (Note 16)
—
—
2.4
—
2.4
2.4
Effects of movements in exchange rates
—
—
0.1
2.9
3.0
3.0
At 30 September 2024
(100.7)
(16.5)
(1.1)
(87. 3)
(104.9)
(205.6)
Charge for year
—
(1.4)
(0.7)
(8.1)
(10.2)
(10.2)
Assets classified as held for sale (Note 16)
—
1.8
—
21.0
22.8
22.8
Effects of movements in exchange rates
—
—
(0.4)
(0.9)
(1.3)
(1.3)
At 30 September 2025
(100.7)
(16.1)
(2.2)
(75.3)
(93.6)
(194.3)
At 30 September 2024
156.5
5.3
1.2
82.7
89.2
245.7
At 30 September 2025
46.3
1.5
0.9
1.2
3.6
49.9
Financial statements
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 131

11 Goodwill and intangible assets continued
Cash generating units (CGUs)
Goodwill and intangible assets are allocated to CGUs in order to be assessed for potential impairment. CGUs are defined by accounting standards
as the lowest level of asset groupings that generate separately identifiable cash inflows that are not dependent on other CGUs.
The CGUs presented are consistent with the year ended 30 September 2024, with the exception of the Fox Crypto CGU, which was disposed of
during the year (with associated goodwill of £52.1m classified as held for sale as at 30 September 2024).
The CGUs and the allocation of goodwill to those CGUs are shown below:
UK and APAC Cyber Security
44.3
44.3
North America Cyber Security
—
—
Europe Cyber Security
2.0
2.2
Total Cyber Security
46.3
46.5
The Escode division, which was classified as a discontinued operation during the year, includes the following CGUs and associated allocated goodwill:
UK Escode
22.8
22.8
North America Escode
80.0
8 0.1
Europe Escode
7.4
7.1
Total Escode
110. 2
110.0
Impairment review
Goodwill is tested for impairment annually at the level of the CGU to which it is allocated. An impairment review was carried out at 30 September 2025.
The recoverable amount of all CGUs was measured on a fair value less costs to sell basis.
Capitalised development and software costs are included in the CGU asset bases when performing the impairment review. Capitalised development
projects and software intangible assets are also considered, on an asset-by-asset basis, for impairment where there are indicators of impairment.
Fair value less costs to sell
The methodology described below has been applied consistently for the impairment reviews carried out as at 30 September 2024 and 30 September 2025.
The recoverable amount of all CGUs has been determined on a fair value less costs to sell basis for the purposes of the impairment review.
The valuation under FVLCTS is expected to exceed the valuation under VIU because uncommitted restructurings and resulting operating
efficiencies are not considered within a VIU valuation in line with the requirements of IAS 36.
The FVLCTS valuation of each standalone CGU has been calculated by determining sustainable earnings, which are based on the Adjusted EBITDA
1
,
and applying a reasonable market multiple on the calculated sustainable earnings. Estimated sustainable earnings have been determined taking into
account a Board-approved forecast which considers past performance. The sustainable earnings used include expectations based on a market
participant view of sustainable performance of the business based on market volatility and uncertainty as at the Balance Sheet date. The
sustainable earnings input is a level 3 measurement; level 3 measurements are inputs which are normally unobservable to market participants.
The Group incurs certain overhead costs in respect of support services provided centrally to the CGUs. Such support services include Finance,
Human Resources, Legal, Information Technology and additional central management support in respect of stewardship and governance. In
calculating sustainable earnings these overhead costs have been allocated to the CGUs based on the extent to which each CGU has benefited
from the services provided. Commonly this is driven by time spent by the relevant central department in supporting the CGU, informed by
headcount or where possible specific cost allocations have been made.
The Adjusted EBITDA
1
multiple used in the calculations is based on an independent third party assessment of the implied enterprise value of each
CGU based on a population of comparable companies as at the Balance Sheet date. The estimated cost to sell was based on other recent
transactions that the Group has undertaken.
Current year impairment
The Board assessed the recoverable amount of each CGU using fair value less costs to sell as at 30 September 2025, applying the methodology
described above. In all cases, the recoverable amount exceeded the carrying amount, and no impairment losses have been recognised for the year
ended 30 September 2025.
Current year sensitivity analysis – impairment
The FVLCTS valuation of each standalone CGU has been calculated by determining sustainable earnings, based on Adjusted EBITDA¹, and applying a
reasonable market multiple. The sustainable earnings figures include a key assumption regarding achieving forecast revenue within each CGU assessment.
The Board has reviewed sensitivity analysis on the FVLCTS calculations for each CGU, considering reasonably possible changes in the key
assumption of revenue. Assuming a 10% shortfall in forecast revenue (after factoring in controllable variable cost reductions and maintaining
margins), no material impairment would arise.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025132
Notes to the Financial Statements continued
for the year ended 30 September 2025

11 Goodwill and intangible assets continued
Fair value less costs to sell continued
Prior period impairment
In the prior period the Board assessed the recoverable amount of the North America Cyber Security CGU based on its FVLCTS as at 31 May 2024
as described above. Based on that assessment, the carrying amount of this CGU exceeded its recoverable amount and therefore an impairment
loss of £31.9m was recognised, reducing the value of goodwill allocated to this CGU to £nil.
This impairment relates to our North America Cyber Security business, as the recovery in demand was less consistent than expected.
This amount was recognised as an Individually Significant Item (see Note 4). The impairment charge recognised resulted in a reduction in the
carrying value of goodwill only.
Prior period sensitivity analysis – impairment
The FVLCTS valuation of each standalone CGU has been calculated by determining sustainable earnings, which are based on the Adjusted
EBITDA
1
, and applying a reasonable market multiple on the calculated sustainable earnings. The sustainable earnings figures used in this
calculation include a key assumption regarding a sustainable gross margin percentage for the business.
The table below shows the sensitivity of headroom to reasonably possible changes in the key assumptions, by reflecting the additional impairment
that would have been required from a decrease in gross margin of 0.5 percentage points. This additional impairment would have been after the
£31.9m impairment in the North America Cyber Security CGU during May 2024. As goodwill has been impaired to £nil, any further impairment
would be applied to other assets allocated to the CGU.
North America Cyber Security
2.9
As the goodwill in the North America Cyber Security CGU was fully impaired as at 31 May 2024, no further sensitivity analysis was provided
as at 30 September 2024.
With the exception of the North America Cyber Security CGU, the Board did not identify any reasonably possible changes in the key assumptions
that would cause the carrying values of the other CGUs to exceed their respective recoverable amounts at 30 September 2024.
Prior period goodwill reallocation
During June 2024, as part of the expected disposal of the Fox Crypto B.V. entity, the Group reorganised its reporting structure to separate out the
Fox Crypto entity from the Europe Cyber Security CGU. On this basis the Europe Cyber Security goodwill was reallocated between the newly
created Fox Crypto CGU and the remaining Europe Cyber Security CGU.
Goodwill was reallocated based on relative values of the two CGUs, but having made adjustment to reflect that the Fox Crypto CGU is less asset
intensive than the remaining Europe Cyber Security CGU.
The value of each CGU was based on FVLCTS. For the Fox Crypto CGU, the FVLCTS was based on the expected consideration to be received
on disposal (see Note 18 of the 2024 Annual Report and Accounts) of this business less estimated selling costs. For the remaining Europe Cyber
Security CGU the fair value was calculated using a methodology consistent with that used in the goodwill impairment review and described above.
Based on this assessment, goodwill of £51.9m was reallocated to the Fox Crypto CGU, leaving £2.2m as reallocated to the EU Cyber Security
CGU. Goodwill reallocated to the Fox Crypto CGU was reclassified to assets held for sale (see Note 16). There was no change in the allocated
goodwill following completion of the disposal in the current year.
Prior period sensitivity analysis – goodwill reallocation
The FVLCTS valuation of each standalone CGU was calculated by determining sustainable earnings, which were based on the Adjusted EBITDA
1
,
and applying a reasonable market multiple on the calculated sustainable earnings. The sustainable earnings figures used in this calculation included
a key assumption regarding forecast revenue for the business.
The table below shows the sensitivity of the goodwill reallocation to reasonably possible changes in the key assumptions, by reflecting the additional
goodwill that would have been allocated to the Europe Cyber Security CGU from an increase in revenue of 5% with no increased costs. This
additional goodwill would be after the allocation of £2.2m of goodwill to the Europe Cyber Security CGU.
Europe Cyber Security
13.3
1 Adjusted EBITDA is an Alternative Performance Measure (APM) and not an IFRS measure. See Appendix 1 for an explanation of APMs and adjusting items, including a reconciliation to
statutory information.
Financial statements
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 133

12 Property, plant and equipment
At 1 June 2023
27. 5
20.4
—
47.9
Additions
3.8
2.4
—
6.2
Disposals
(0.1)
(0.2)
—
(0.3)
Assets classified as held for sale (Note 16)
(1.1)
(1.2)
—
(2.3)
Movement in foreign exchange rates
(0.3)
(0.2)
—
(0.5)
At 30 September 2024
29.8
21.2
—
51.0
Additions
2.6
0.5
1.6
4.7
Disposals
—
(1.8)
—
(1.8)
Assets classified as held for sale (Note 16)
(1.1)
(0.2)
—
(1.3)
Movement in foreign exchange rates
(0.8)
—
—
(0.8)
At 30 September 2025
30.5
19.7
1.6
51.8
At 1 June 2023
(23.0)
(12.4)
—
(35.4)
Charge for period
(3.4)
(2.0)
—
(5.4)
Impairment
—
(0.4)
—
(0.4)
On disposals
0.1
0.1
—
0.2
Assets classified as held for sale (Note 16)
0.9
0.3
—
1.2
Movement in foreign exchange rates
0.2
0.2
—
0.4
At 30 September 2024
(25.2)
(14.2)
—
(39.4)
Charge for year
(2.7)
(1.6)
—
(4.3)
On disposals
—
0.6
—
0.6
Assets classified as held for sale (Note 16)
1.0
0.1
—
1.1
Movement in foreign exchange rates
0.6
0.1
—
0.7
At 30 September 2025
(26.3)
(15.0)
—
(41.3)
At 30 September 2024
4.6
7.0
—
11.6
At 30 September 2025
4.2
4.7
1.6
10.5
NCC Group plc — Annual report and accounts for the year ended 30 September 2025134
Notes to the Financial Statements continued
for the year ended 30 September 2025

13 Right-of-use assets
At 1 June 2023
36.3
6.0
42.3
Additions
5.2
4.2
9.4
Disposals
—
(1.7)
(1.7)
Impairment
(3.2)
—
(3.2)
Assets classified as held for sale
—
(0.4)
(0.4)
At 30 September 2024
38.3
8.1
46.4
Additions
4.7
1.8
6.5
Disposals
(1.4)
(2.0)
(3.4)
Impairment
(0.3)
—
(0.3)
Reversal of impairment
0.2
—
0.2
Assets classified as held for sale
(5.9)
(0.2)
(6.1)
At 30 September 2025
35.6
7.7
43.3
At 1 June 2023
(19.0)
(4.7)
(23.7)
Charge for period
(5.6)
(2.5)
(8 .1)
Disposals
—
1.1
1.1
At 30 September 2024
(24.6)
(6.1)
(30.7)
Charge for year
(3.8)
(1.7)
(5.5)
Disposals
1.3
1.3
2.6
Assets classified as held for sale
3.9
0.2
4.1
At 30 September 2025
(23.2)
(6.3)
(29.5)
At 30 September 2024
13.7
2.0
15.7
At 30 September 2025
12.4
1.4
13.8
14 Trade and other receivables
Trade receivables
14.1
17.3
—
—
Prepayments
9.7
12.6
—
—
Contract costs – costs to obtain (see Note 21)
3.5
1.2
—
—
Contract costs – costs to fulfil (see Note 21)
3.5
—
—
—
Other receivables
1.0
1.1
—
—
Amounts owed by Group undertakings
—
—
34.2
43.1
Total
31.8
32.2
34.2
4 3.1
Current assets
31.8
32.2
—
—
Non-current assets
—
—
34.2
4 3 .1
31.8
32.2
34.2
43 .1
The carrying value of trade and other receivables classified at amortised cost approximates fair value. No material credit losses have been
recognised in respect of amounts owed by Group undertakings (Parent Company only) in the period (2024: £nil).
Amounts owed by Group undertakings in the Parent Company Balance Sheet have been disclosed as repayable after more than one year. Although
these are repayable on demand, the disclosure as non-current is based on management’s expectation of the timing of repayment.
Financial statements
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 135

14 Trade and other receivables continued
The ageing of trade receivables and other receivables at the end of the reporting year was:
Not past due
10.5
—
10.5
13.8
—
13.8
Past due 0–30 days
2.1
—
2 .1
2.1
—
2.1
Past due 31–90 days
0.9
—
0.9
0.7
—
0.7
Past due more than 90 days
1.3
(0.7)
0.6
2.3
(1.6)
0.7
14.8
(0.7)
14.1
18.9
(1.6)
17.3
Not past due
1.0
—
1.0
1.1
—
1.1
Total
15.8
(0.7)
15.1
20.0
(1.6)
18.4
* Prior period comparative ageing analysis has been restated following a review which identified that the 2024 analysis was prepared based on invoice date rather than due date.
The Company had no trade receivables (2024: £nil). The standard period for credit sales varies from 30 days to 60 days. The Group assesses the
creditworthiness of all trade debts on an ongoing basis providing for expected credit losses in line with IFRS 9. The Group has considered credit
risk rating grades; these are based on the ageing categories above. New customers are subject to stringent credit checks.
The movement in the expected credit losses of trade and other receivables (being the credit losses recognised on financial assets, specifically
trade receivables) is as follows:
Balance at 1 June 2023
(2.0)
Provision utilised during the period
0.4
Balance at 30 September 2024
(1.6)
Transferred to assets held for sale
0.9
Balance at 30 September 2025
(0.7)
15 Deferred tax assets and liabilities (Group)
Deferred tax assets and liabilities on the Consolidated Balance Sheet are offset in accordance with IAS 12. A summary of this, offset with significant
jurisdictions, is shown for the Group (including discontinued operations) below:
Plant and equipment
—
—
0.2
0.2
Short-term temporary differences
0.4
6.3
—
6.7
IFRS 16 assets
—
—
0.1
0.1
Intangible assets
(0.6)
(6.3)
(0.5)
(7.4)
Share-based payments
1.2
—
—
1.2
Tax losses
—
—
—
—
Deferred tax asset/(liability)
1.0
—
(0.2)
0.8
Non-current assets
1.0
—
—
1.0
Non-current liabilities
—
—
(0.2)
(0.2)
NCC Group plc — Annual report and accounts for the year ended 30 September 2025136
Notes to the Financial Statements continued
for the year ended 30 September 2025

15 Deferred tax assets and liabilities (Group) continued
Plant and equipment
—
—
0.3
0.3
Short-term temporary differences
0.5
3.1
—
3.6
Intangible assets
(0.8)
(3.1)
(0.8)
(4.7)
Share-based payments
0.9
—
—
0.9
Tax losses
—
—
—
—
Deferred tax asset/(liability)
0.6
—
(0.5)
0.1
Non-current assets
0.6
—
—
0.6
Non-current liabilities
—
—
(0.5)
(0.5)
Movement in deferred tax during the year:
30 September
in equity 2025
£m
Plant and equipment
0.3
(0.1)
—
—
0.2
Short-term temporary differences
3.6
3 .1
—
—
6.7
IFRS 16 assets
—
0.1
—
—
0.1
Intangible assets
(4.7)
(2.6)
(0.1)
—
(7.4)
Share-based payments
0.9
0.2
—
0.1
1.2
Total
0.1
0.7
(0.1)
0.1
0.8
Plant and equipment
0.2
0.1
—
—
—
0.3
Short-term temporary differences
9.1
(5.7)
0.2
—
—
3.6
IFRS 16 assets/(liabilities)
0.5
(0.5)
—
—
—
—
Intangible assets
(10.7)
5.8
0.2
—
—
(4.7)
Share-based payments
0.5
0.4
—
—
—
0.9
Tax losses
1.9
(1.9)
—
—
—
—
Total
1.5
(1.8)
0.4
—
—
0.1
In the year ended 30 September 2025 (as in the period ended 30 September 2024), the Group (including the Escode division) has not recognised a
deferred tax asset in relation to tax losses (and certain other North American temporary differences) as management does not consider it probable that
future taxable profits will be available against which they may be offset. The Group has not recognised a deferred tax asset on any element of £43.4m
(2024: £19.9m) of tax losses carried forward in the United Kingdom (£8.2m), Denmark (£4.2m), Australia (£5.4m), Japan (£0.2m) and United States
state taxes (£25.4m) due to current uncertainties over their future recoverability (and in the case of certain United Kingdom/United States losses
because of specific legislative restrictions). The Group has not recognised a potential deferred tax asset in relation to short-term temporary differences
(and other minor categories) of £20.3m (2024: £25.0m) in relation to the United States.
The unrecognised deferred tax asset on the above deductible temporary differences at 30 September 2025 is £10.8m (£10.9m at 30 September 2024):
Plant and equipment
(0.1)
(0.2)
Short-term temporary differences
(5.1)
(6.3)
Intangible assets
(0.1)
—
Share-based payments
(0.2)
(0.3)
Tax losses
(5.3)
(4.1)
Total
(10.8)
(10.9)
A deferred tax asset of £1.1m (2024: £2.0m) in respect of R&D tax claims submitted in the United States has been partially provided against due to
uncertainty about recoverability; an amount of £0.7m has been provided (2024: £1.2m). No deferred tax liability is recognised on temporary differences
of £8.9m (2024: £8.1m) relating to the unremitted earnings of overseas subsidiaries as the Group can control the timing of the reversal of these
temporary differences and it is probable that they will not reverse in the foreseeable future.
Financial statements
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 137

16 Discontinued operations and assets and liabilities held for sale
Current year – Escode
In February 2023, the Group announced the commencement of a strategic review of its Escode business and other core and non-core assets. The
review of the Escode business was subsequently stopped in June 2023. During the year ended 30 September 2025, the Group confirmed that it
was exploring a number of options for its Escode business, including a potential sale. The Group initiated an active programme to locate a buyer for
Escode during the year.
On this basis, as at 30 September 2025, the sale of Escode was considered highly probable and therefore the associated assets and liabilities were
reclassified as held for sale as at 30 September 2025.
As the conditions for classification as “held for sale” were met, and given that Escode represents a separate major line of business within the Group,
it is presented as a discontinued operation.
The financial performance and cash flow information relating to discontinued operations for the year ended 30 September 2025, including
comparative figures, is presented below.
Revenue (Note 3)
66.5
87.4
Cost of sales
(19.0)
(26.7)
Gross profit
47.5
60.7
Individually Significant Items
—
(0.1)
Depreciation and amortisation
(6.0)
(7.7 )
Other administrative expenses
(9.8)
(14.7)
Total administrative expenses
(15.8)
(22.5)
Operating profit
31.7
38.2
Finance costs
(0.1)
(0.1)
Profit before taxation
31.6
3 8 .1
Tax expense (Note 8)
(5.4)
(3.4)
Profit for the year/period from discontinued operations
26.2
34.7
Exchange differences on translation of discontinued operations
(0.1)
(10.2)
Other comprehensive income from discontinued operations
26.1
24.5
Net cash inflow from operating activities
39.6
37.0
Net cash outflow from investing activities
(0.3)
(1.6)
Net cash outflow from financing activities
(37.4)
(37. 0)
Net increase/(decrease) in cash generated by the discontinued operations
1.9
(1.6)
NCC Group plc — Annual report and accounts for the year ended 30 September 2025138
Notes to the Financial Statements continued
for the year ended 30 September 2025

16 Discontinued operations and assets and liabilities held for sale continued
Current year – Escode continued
The following assets and liabilities were reclassified as held for sale in relation to discontinued operations as at 30 September 2025:
Goodwill
110. 2
Intangible fixed assets
76.1
Tangible fixed assets
0.2
Right-of-use assets
2.0
Trade and other receivables
5.1
Cash and cash equivalents
3.9
Contract assets
0.5
Total assets classified as held for sale
198.0
Lease liabilities
(3.0)
Trade and other payables
(6.2)
Provisions
(0.3)
Deferred revenue
(24.7)
Current tax liability
(5.6)
Total liabilities associated with assets classified as held for sale
(39.8)
Prior period – Fox Crypto B.V.
On 1 August 2024, the Group announced the disposal of Fox Crypto B.V. for an initial expected gross consideration of €77.3m to CR Group Nordic AB.
As at 30 September 2024, the disposal was yet to be finalised; however, the sale of this business was considered highly probable and, accordingly,
Fox Crypto’s assets and liabilities were reclassified as held for sale as at 30 September 2024. Fox Crypto B.V. did not meet the definition of
discontinued operations.
On 28 March 2025, the Group completed the disposal of its entire 100% interest in Fox Crypto, a foreign operation, for total cash consideration of
£65.6m. Following completion, all assets and liabilities held for sale were derecognised. The Group did not retain any interest in Fox Crypto, and no
contingent consideration was recognised. For further details on the disposal see Note 31.
The table below sets out the assets held for sale balances as at 30 September 2024:
Goodwill
51.9
Intangible fixed assets
0.1
Right-of-use assets
0.4
Property, plant and equipment
1.1
Inventories
0.6
Trade and other receivables
4.3
Contract assets
3.1
Total assets classified as held for sale
61.5
Trade and other payables
(1.4)
Deferred revenue
(3 .1)
Lease liabilities
(0.4)
Provisions
(0.8)
Total liabilities associated with assets classified as held for sale
(5.7)
Financial statements
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 139

17 Trade and other payables
Trade payables
4.6
4.6
—
—
Non-trade payables
5.5
17.5
—
9.8
Accruals
33.0
24.7
—
—
Amounts owed to Group companies
—
—
—
0.1
Total
43.1
46.8
—
9.9
The carrying value of trade and other payables classified as financial liabilities measured at amortised cost approximates fair value.
18 Lease liabilities
At 1 June 2023
26.3
3.7
30.0
Additions
4.7
4.2
8.9
Disposals
—
(0.7)
(0.7)
Lease payments
(9.2)
(2.7)
(11.9)
Interest expense
1.3
0.4
1.7
Liabilities classified as held for sale
—
(0.4)
(0.4)
At 30 September 2024
23 .1
4.5
27.6
Additions
2.9
1.6
4.5
Disposals
(2.3)
(0.5)
(2.8)
Lease payments
(5.8)
(2.1)
(7.9)
Interest expense
0.9
0.2
1.1
Liabilities classified as held for sale
(3.0)
—
(3.0)
At 30 September 2025
15.8
3.7
19.5
Analysed as follows:
Current
4.1
5.7
Non-current
15.4
21.9
The maturity of lease liabilities is as follows:
Less than one year
4.1
5.7
Two to five years
11.0
16 .1
More than five years
4.4
5.8
Total lease liabilities
19.5
27.6
The total cash outflow for leases in the year was £7.9m (2024: £11.9m), which consists of £6.8m (2024: £10.2m) principal element of lease
payments disclosed above, £1.1m (2024: £1.7m) interest element of lease payments and £nil (2024: £nil) lease payments charged to the Income
Statement in respect of short-term leases. The Group has used its incremental borrowing rate of 6.53% (2024: 6.35%) as the discount rate for the
calculation of the lease liabilities. Some leases contain break clauses or extension options to provide operational flexibility. Potential future undiscounted
lease payments not included in the reasonably certain lease term, and hence not included in lease liabilities, total £1.2m (2024: £4.6m).
NCC Group plc — Annual report and accounts for the year ended 30 September 2025140
Notes to the Financial Statements continued
for the year ended 30 September 2025

19 Provisions
Balance at 1 June 2023
1.0
1.4
0.3
2.7
Provisions created in the period
0.3
3.0
0.1
3.4
Provisions released during the period
—
(0.2)
—
(0.2)
Provisions utilised during the period
(0.5)
(1.0)
(0.3)
(1.8)
Transferred to assets held for sale
(0.8)
—
—
(0.8)
Balance at 30 September 2024
—
3.2
0.1
3.3
Provisions created in the year
—
1.3
—
1.3
Provisions released during the year
—
(1.2)
—
(1.2)
Provisions utilised during the year
—
(0.8)
(0.1)
(0.9)
Transferred to assets held for sale
—
(0.3)
—
(0.3)
Balance at 30 September 2025
—
2.2
—
2.2
Current
—
0.3
—
0.3
Non-current
—
1.9
—
1.9
Current
—
1.3
0 .1
1.4
Non-current
—
1.9
—
1.9
The onerous property costs provision relates to unused and closed office spaces within the Group’s property portfolio. The onerous property
provision of £2.2m (2024: £3.2m) at 30 September 2025 includes £0.5m (2024: £2.0m) of non-rental costs relating to the onerous properties
including service charges and insurance, as well as the estimated costs of disposing of or terminating these leases, which includes rent incentives
and letting fees.
The provision at 30 September 2025 also includes estimated dilapidations liabilities of £1.7m (2024: £1.2m) relating to the Group’s leased premises.
Both of these provisions are expected to unwind over the period of the relevant leases (2026–2035).
Other provisions are £nil in the year ended 30 September 2025 (2024: £0.1m). These comprised accrued redundancy costs relating to the
implementation of the reorganisation to which the Group was committed as of 30 September 2024. These costs were settled within the year ended
30 September 2025.
20 Contract liabilities – deferred revenue
Deferred revenue represents advanced consideration received from customers, for which revenue is recognised over time. Deferred revenue is
analysed as follows and is considered a contract liability:
Current
25.7
50.7
Non-current
2.2
2.8
27.9
53.5
Revenue recognised in the year ended 30 September 2025 that was included in the contract liability at 30 September 2024 amounted to £50.7m
(2024: £54.9m). The non-current element as at 30 September 2024 is expected to unwind in the year ending 30 September 2026.
Contract liabilities primarily relate to advanced consideration received from customers, for which revenue is recognised over time in line with the
respective performance obligation. See Note 3 for information regarding the remaining performance obligations as of 30 September 2025.
Financial statements
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 141

21 Contract assets
The following table provides information about receivables and contract assets from contracts with customers.
Receivables, which are included in trade and other receivables
14
14.1
17. 3
Contract assets – accrued income
19.4
2 0.1
Contract costs – costs to fulfil
14
3.5
—
Contract costs – costs to obtain
14
3.5
1.2
The Group has recognised £19.4m of contract assets (2024: £20.1m). All contract assets for the current year and the comparative period are
presented within current assets.
The ageing of contract assets at the end of the reporting year was:
Not past due
20.1
(0.7)
19.4
21.1
(1.0)
20.1
Total
20.1
(0.7)
19.4
21.1
(1.0)
20.1
The movement in the expected credit losses of contract assets (being the credit losses recognised on financial assets, specifically contract assets)
is as follows:
Balance at 1 June 2023
(0.2)
Charged to the Income Statement
(0.8)
Balance at 30 September 2024
(1.0)
Provision utilised during the year
0.3
Balance at 30 September 2025
(0.7)
Accrued income of £19.4m (2024: £20.1m) is the Group’s rights to consideration for work completed but not billed at the reporting date. The contract
assets accrued in the prior year of £20.1m were fully recognised as trade receivables during the year ended 30 September 2025. Therefore, the
balances as at 30 September 2025 were fully accrued during the year and will be transferred to receivables when the rights become unconditional.
Expected credit losses of £0.7m (2024: £1.0m) have been recognised in respect of contract assets.
The contract assets are transferred to receivables when the rights become unconditional. This usually occurs when the Group issues an invoice
to the customer. Invoices usually become payable within 30 days. The contract costs to obtain of £3.5m (2024: £1.2m) represent incremental sales
commissions to obtain specific contracts and are amortised over the length of the contract.
Contract costs comprise (i) incremental costs of obtaining contracts of £3.5m (2024: £1.2m), which are expected to be recovered through
future revenue, and (ii) costs to fulfil contracts of £3.5m (2024: £nil), which relate directly to future performance obligations and are expected to
be recovered.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025142
Notes to the Financial Statements continued
for the year ended 30 September 2025

22 Cash and cash equivalents and borrowings
Cash and cash equivalents
Cash and cash equivalents comprise:
Cash and cash equivalents
12.5
29.8
—
9.8
Bank overdraft
—
(13.6)
—
—
Total cash at bank and in hand
12.5
16.2
—
9.8
Borrowings are analysed as follows:
Revolving credit facility
2029
3.3
61.5
—
—
Total borrowings
3.3
61.5
—
—
The maturity profile is as follows:
Two to five years
3.3
61.5
—
—
The RCF is drawn in short to medium-term tranches of debt that are repayable within 12 months of drawdown. These tranches can be rolled over,
provided certain conditions are met, including compliance with all loan terms. As at the year end, the Group has assessed its compliance with these
conditions and considers it highly likely that it will continue to meet all requirements and be able to exercise its right to roll over the debt. The Directors
believe the Group has both the ability and intent to roll over the drawn RCF amounts when due and, accordingly, have presented the RCF as a
non-current liability in line with applicable IFRIC guidance.
In April 2025, the Group entered into a four year £120m multi-currency revolving credit facility replacing the previous £162.5m multi-currency
revolving credit facility. Key terms of the facility are:
•
A £120m multi-currency revolving credit facility maturing in April 2029.
•
An additional £50m uncommitted accordion option, subject to bank approval.
•
In line with the previous facility, a net leverage covenant of 3.0x with an additional acquisition spike to 3.5x for up to 12 months of the date
of any acquisition.
•
The bank margin is payable on a ratchet mechanism, with a margin payable above SONIA and SOFR in the range of 1.35% to 2.35%
(previously 1.00% to 2.25%) depending on the level of the Group’s leverage. The weighted average interest rate is 6.16% for the year ended
30 September 2025 (2024: 6.21%).
•
At the date of refinancing, unamortised arrangement fees relating to the previous RCF remained outstanding as the facility was refinanced before
the end of its original term. The refinancing did not result in a substantial modification under IFRS 9. Accordingly, arrangement fees from the previous
refinancing in December 2022 have been carried forward and are being amortised over the life of the new RCF term (four years to April 2029),
together with new arrangement fees of £1.1m incurred directly with the lenders on refinancing.
•
Certain subsidiaries of the Group act as guarantors to the new facility to provide coverage based on aggregate Adjusted EBITDA
1
and gross assets.
As at 30 September 2025, the Group had committed bank facilities of £120m (2024: £162.5m), of which £5.2m (2024: £62.4m) had been drawn,
leaving £114.8m (2024: £100.1m) of undrawn facilities. Unamortised arrangement fees of £1.9m (2024: £0.9m) have been offset against the
amounts drawn down, resulting in a carrying value of borrowings at 30 September 2025 of £3.3m (2024: £61.5m). The fair value of borrowings is
not materially different to its amortised cost.
1 Adjusted EBITDA is an Alternative Performance Measure (APM) and not an IFRS measure. See Appendix 1 for an explanation of APMs and adjusting items, including a reconciliation to
statutory information.
Financial statements
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 143

23 Financial instruments
Loans and borrowings
Revolving credit facility
(3.3)
(61.5)
—
—
Total loans and borrowings (excluding lease liabilities)
(3.3)
(61.5)
—
—
Cash
12.5
29.8
—
9.8
Bank overdraft
—
(13.6)
—
—
Net cash/(debt) (excluding lease liabilities)
1
9.2
(45.3)
—
9.8
Lease liabilities
(15.4)
(21.9)
—
—
Lease liabilities
(4.1)
(5.7)
—
—
Net (debt)/cash
1
(10.3)
(72.9)
—
9.8
Lease liabilities of £3.0m classified as held for sale in Note 16 have been excluded from the net debt calculation.
1 Revenue at constant currency, Adjusted EBITDA and net debt excluding lease liabilities are Alternative Performance Measures (APMs) and not IFRS measures. See Appendix 1 for an
explanation of APMs and adjusting items, including a reconciliation to statutory information.
Reconciliation of movements in liabilities to cash flows arising from financing activities
Drawdown on facility
21.1
57.8
Repayment of facility
(80.3)
(75.0)
Release of deferred arrangement fees
0.2
0.6
Foreign exchange movement
0.8
(3.8)
Movement in borrowings
(58.2)
(20.4)
New leases entered into
4.5
8.9
Disposals
(2.8)
(0.7)
Principal element of lease payments
(6.8)
(10.2)
Lease liabilities held for sale (see Note 16)
(3.0)
(0.4)
Movement in lease liabilities
(8.1)
(2.4)
Financial risk management
The Group has exposure to the following risks from its use of financial instruments:
•
Credit risk
•
Liquidity risk
•
Currency risk
•
Interest rate risk
The Board has overall responsibility for establishing appropriate management of exposure to risk. The Audit Committee oversees how management
identifies and addresses risks to the Group.
Capital management
The Board’s policy is to maintain a strong capital base so as to maintain investor, creditor and market confidence and to sustain future development
of the business.
The Group monitors capital on the basis of the gearing ratio. This ratio is calculated as net cash/(debt)
2
divided by total capital. Net cash/(debt)
1
is
calculated as total borrowings as shown in the Consolidated Balance Sheet, less cash and cash equivalents. Total capital is calculated as equity, as
shown in the Consolidated Balance Sheet, plus net debt
1
. As at 30 September 2025 the Group’s gearing ratio was nil (2024: 17.8%).
1 Revenue at constant currency, Adjusted EBITDA and net debt excluding lease liabilities are Alternative Performance Measures (APMs) and not IFRS measures. See Appendix 1 for an
explanation of APMs and adjusting items, including a reconciliation to statutory information.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025144
Notes to the Financial Statements continued
for the year ended 30 September 2025

23 Financial instruments continued
Financial instruments policy
All instruments utilised by the Company and Group are for financing purposes. The financial management and treasury activities of the Group are
controlled centrally for all operations with local finance teams responsible for day-to-day banking activities.
Fair value of financial instruments
As at 30 September 2025, the Group and Company had no other financial instruments other than those disclosed below. In addition, no embedded
derivatives have been identified. There have been no transfers between levels in the year.
The following table presents the Group’s financial assets and liabilities that are measured at fair value by level of fair value hierarchy:
•
Quoted prices (unadjusted) in active markets for identical assets or liabilities (level 1)
•
Inputs other than quoted prices included within level 1 that are observable for the asset or liability, either directly (that is, as prices) or indirectly
(that is, derived from prices) (level 2)
•
Inputs for the asset or liability that are not based on observable market data (unobservable inputs) (level 3)
Borrowings are held at amortised cost, which is considered to equate to fair value. All other assets and liabilities are held at either fair value or their
carrying value, which approximates to fair value.
Financial liabilities at fair value through profit or loss
—
—
—
—
0.8
—
Financial assets at fair value through profit or loss
—
0.9
—
—
—
—
Total financial asset/liabilities
—
0.9
—
—
0.8
—
At 30 September 2025, the Group holds derivatives (financial assets) with a mark to market valuation of £0.9m (2024 financial liabilities: £0.8m) to
mitigate currency risk, as described in Note 23.
Credit risk
Credit risk is the risk of financial loss to the Group if a customer or counterparty to a financial instrument fails to meet its contractual obligations and
arises principally from the Group’s receivables from customers. The Group’s exposure to credit risk is influenced mainly by the individual
characteristics of each customer.
Exposure to credit risk
The carrying value of financial assets represents the maximum credit exposure. The maximum exposure to credit risk at the reporting date was:
Trade receivables
14.1
17.3
—
—
Other receivables
1.0
1.1
—
—
Amounts owed by Group undertakings
—
—
34.2
43.1
Contract assets
19.4
20.1
—
—
Cash and cash equivalents
12.5
29.8
—
9.8
Total
47.0
68.3
34.2
52.9
The maximum exposure to credit risk for trade receivables and other receivables at the reporting date by geographic region was:
UK
6.8
8.0
—
—
APAC
0.7
1.1
—
—
North America
5.1
4.9
—
—
Europe
2.5
4.4
—
—
Total
15.1
18.4
—
—
Financial statements
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 145

23 Financial instruments continued
Exposure to credit risk continued
The maximum exposure to credit risk for trade and other receivables at the reporting date by business segment was:
Cyber Security
14.8
15.7
—
—
Escode
—
2.5
—
—
Central and head office
0.3
0.2
—
—
Total
15.1
18.4
—
—
The trade receivables of the Group typically comprise many amounts due from a large number of customers and represent a spread of industry
sectors. The largest amount due from a single customer at the reporting date represented 3.0% (2024: 2.5%) of total Group receivables. All of the
Group’s cash is held with financial institutions of high credit rating.
The provisions in respect of trade receivables are used to record expected credit losses. The Group has dedicated credit control teams, which
regularly review customer debt balances to assess the risk of recovery.
Liquidity risk
Liquidity risk is the risk that the Group will not be able to meet its financial obligations as they fall due. The Group manages and minimises liquidity
risk by using global cash management solutions and actively monitoring both actual and projected cash outflows to ensure that it will have sufficient
liquidity to meet its liabilities when due and have headroom to provide against unforeseen obligations.
Longer term, the Group has assessed its liquidity forecast as part of the viability assessment and its ability to continue trading as a going concern.
For further detail on the Group’s assessment of liquidity risk refer to the Viability Statement on pages 38 and 39.
The following are the undiscounted contractual maturities of financial liabilities, including interest payments, of the Group:
Borrowings
(3.3)
(6.1)
(0.3)
(0.3)
(5.5)
—
Lease liabilities
(19.5)
(16.7)
(3.3)
(3.7)
(5.7)
(4.0)
Trade and other payables
(43.1)
(43.1)
(43.1)
—
—
—
Borrowings
(61.5)
(73.9)
(3.8)
(3.8)
(66.3)
—
Bank overdraft
(13.6)
(13.6)
(13.6)
—
—
—
Lease liabilities
(27.6)
(32.5)
(8.0)
(6.6)
(13.6)
(4.3)
Trade and other payables
(46.8)
(46.8)
(46.8)
—
—
—
The contractual cash flows for borrowings disclosed above relate to the Group’s RCF for the year ended 30 September 2025, which expires in
April 2029, and in the prior year includes the Term Loan Facility Agreement that was due to expire in December 2026. The contractual cash flows
include an estimate of the interest payable based on the assumption that the borrowings remain drawn based upon 30 September 2025 levels,
except that the term loan which existed at 30 September 2024 is repayable over its term. Interest is calculated based on SONIA/SOFR plus a
margin based on the current leverage ratio.
Currency risk
The Group is exposed to currency risk on sales, purchases, cash and borrowings that are denominated in a currency other than the respective
functional and presentational currency of the Group. The Group’s management reviews the size and probable timing of settlement of all financial
assets and liabilities denominated in foreign currencies. The Group’s exposure to currency risk is as follows:
Trade receivables
8.4
2.9
1.9
0.9
14.1
7. 6
2.0
7.4
0.3
17. 3
Other receivables
1.0
—
—
—
1.0
1.1
—
—
—
1.1
Contract assets
7.8
3.8
6.1
1.7
19.4
7.9
3.4
6.5
2.3
20.1
Cash and cash equivalents
2.7
3.5
4.3
2.0
12.5
18.0
4.1
4.5
3.2
29.8
Bank overdraft
—
—
—
—
—
(11.9)
—
(1.7)
—
(13.6)
Borrowings
1.9
—
(5.2)
—
(3.3)
(19.0)
—
(42.5)
—
(61.5)
Lease liabilities
(9.7)
(3.8)
(3.0)
(3.0)
(19.5)
(16.0)
(3.2)
(4.9)
(3.5)
(27. 6)
Trade and other payables
(28.7)
(5.6)
(6.2)
(2.6)
(43.1)
(32.7)
(3.9)
(7.6)
(2.6)
(46.8)
Total
(16.6)
0.8
(2.1)
(1.0)
(18.9)
(45.0)
2.4
(38.3)
(0.3)
(81.2)
NCC Group plc — Annual report and accounts for the year ended 30 September 2025146
Notes to the Financial Statements continued
for the year ended 30 September 2025

23 Financial instruments continued
Currency risk continued
The £1.9m of borrowings denominated in sterling relates to unamortised arrangement fees.
A 10% change in each of the respective exchange rates utilised during the year would impact revenue by £17.0m (2024: £23.6m) and borrowings
by £0.5m (2024: £4.3m), either increasing or decreasing each by the stated amounts.
The Group’s risk management policy is to hedge foreign currency exposure in respect of significant material transactions that may arise from time to
time. No material hedges were in place at 30 September 2025 or at 30 September 2024. In order to manage shorter-term currency risk, the Group
enters into short-term derivative arrangements.
The Group designates the spot element of forward foreign exchange contracts to hedge its currency risk and applies a hedge ratio of 1:1. The
forward elements of forward exchange contracts are excluded from the designation of the hedging instrument and are separately accounted for as
a cost of hedging, which is recognised in equity in a cost of hedging reserve. The Group’s policy is for the critical terms of the forward exchange
contracts to align with the hedged item.
The Group determines the existence of an economic relationship between the hedging instrument and hedged item based on the currency, amount
and timing of their respective cash flows. Given the short-term nature of these hedges there is limited risk of ineffectiveness.
Interest rate risk
The Group and Company finance their operations through a combination of retained profits and bank borrowings. The Group borrows and invests
surplus cash at floating rates of interest based upon bank base rate. The cash and cash equivalents of the Group and Company at the end of the
financial year were as follows:
Sterling denominated financial assets
2.7
18.0
Euro denominated financial assets
3.5
4.1
US Dollar denominated financial assets
4.3
4.5
Other denominated financial assets
2.0
3.2
Total
12.5
29.8
The financial assets and liabilities of the Company at the end of the financial year were as follows:
Sterling denominated financial assets
—
9.8
Amounts owed by Group undertakings
34.2
43.1
Total
34.2
52.9
Sterling denominated financial liabilities
—
9.8
Amounts owed to Group undertakings
—
0.1
Total
—
9.9
A change of 100 basis points in interest rates would result in a difference in annual pre-tax profit of £nil (2024: £0.6m).
The financial liabilities of the Group (trade and other payables, borrowings and lease liabilities) and their maturity profile are as follows:
Less than one year
(30.4)
(6.3)
(7.3)
(3.2)
(47. 2)
(34.9)
(5.0)
(9.1)
(3.4)
(52.4)
Two to five years
(3.2)
(1.8)
(7.1)
(2.2)
(14.3)
(28.6)
(2.1)
(46.0)
(2.8)
(79.5)
More than five years
(3.0)
(1.3)
—
(0.1)
(4.4)
(4.0)
—
—
—
(4.0)
Total
(36.6)
(9.4)
(14.4)
(5.5)
(65.9)
(67. 5)
( 7.1)
(5 5.1)
(6.2)
(135.9)
Financial statements
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 147

24 Share-based payments
The Company has a number of share option schemes under which options to subscribe for the Company’s shares have been granted to Directors
and colleagues, details of which are illustrated in the tables below. Expected term of options represents the period over which the fair value
calculations are based. The share-based payment charge for the year was £2.1m (2024: £2.3m), of which £2.1m (2024: £2.3m) related to equity
settled payments and £nil (2024: £nil) to cash settled payments.
Company Share Option (CSOP) scheme – equity settled
Under the CSOP scheme, options will vest if the average EPS growth for the three years following their grant is greater than 10% per annum.
Options granted in September 2019 do not have any performance criteria.
August 2018
7 years
August 2021–August 2028
£2.20
—
September 2019
7 years
September 2022–September 2029
£1.79
10 6,136
Sharesave schemes – equity settled
The Company operates Sharesave schemes, which are available to all colleagues based in the UK, the Netherlands, Denmark, the Philippines,
Spain and Australia, and full-time Executive Directors of the Group and its subsidiaries who have worked for a qualifying period.
May 2021
3 years
May 2024–October 2024
£2.15
—
May 2021
3 years
May 2024–October 2024
£2.15
—
May 2022
3 years
May 2025–October 2025
£1.52
98,445
May 2022
3 years
May 2025–October 2025
£1.52
227, 28 8
May 2023
3 years
June 2026–November 2026
£1.26
99,093
May 2023
3 years
June 2026–November 2026
£1.26
273,269
May 2024
3 years
June 2027–November 2027
£0.99
264,400
May 2024
3 years
June 2027–November 2027
£0.99
1,306,128
July 2025
3 years
August 2028–January 2029
£1.14
168,854
July 2025
3 years
August 2028–January 2029
£1.14
623,723
Colleague stock (ESPP) purchase plan – equity settled
The Company operates a stock purchase plan, which is available to all North American-based colleagues who have worked for a qualifying period.
All options are to be settled by equity. Under the scheme the following options have been granted and are outstanding at the year end.
options
Exercisable in
May 2024
1 year
May 2025
£1.09
—
July 2025
1 year
July 2026
£1.23
61,478
Incentive Stock Option (ISO) scheme – equity settled
Under the ISO scheme, options granted will be subject to performance criteria. Options will vest if the average EPS growth for the three years
following their grant is greater than 10% per annum. Options granted in September 2019 do not have any performance criteria.
September 2019
7 years
September 2022–September 2029
£1.82
16,482
Long Term Incentive Plan (LTIP) schemes – equity settled
Options granted between November 2017 and May 2021 have three separate vesting conditions as set out below:
•
60% will vest based on achieving an average increase in Group EPS of 20% or more over a three year period. If growth is equal to an average of
9% (threshold), then 12% of the award will vest. If, however, growth is less than 9%, none of the award element will vest. Between these two
points, vesting is determined on a straight-line basis.
•
30% will vest based on achieving a cash conversion ratio
1
expressed as a percentage over the measurement period of greater than 70% per annum
on average. If cash conversion
1
is greater than or equal to 80% per annum, then 100% of the award element will vest. If, however, cash conversion
is less than 70% per annum, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis.
•
10% will vest based on the Group’s total shareholder return (TSR) ranking when measured against the FTSE 250 (excluding investment trusts). If
the Group’s TSR is consistent with the median group, 20% of the award will vest; below this level, none of the award element will vest. If the TSR
is within the upper quartile or above, 100% of the award element will vest; between the median and upper quartile, vesting is determined on a
straight-line basis.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025148
Notes to the Financial Statements continued
for the year ended 30 September 2025

24 Share-based payments continued
Long Term Incentive Plan (LTIP) schemes – equity settled continued
Options granted in November 2021 have three separate vesting conditions as set out below:
•
60% will vest based on achieving an average increase in Group EPS of 22.5% or more over a three year period. If growth is equal to an average
of 9% (threshold), then 15% of the award will vest. If, however, growth is less than 9% per annum, none of the award element will vest. Between
these two points, vesting is determined on a straight-line basis.
•
30% will vest based on achieving a cash conversion ratio
1
expressed as a percentage over the measurement period of greater than 70% per annum
on average. If cash conversion
1
is greater than or equal to 80% per annum, then 100% of the award element will vest. If, however, cash conversion is
less than 70% per annum, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis.
•
10% will vest based on the Group’s total shareholder return (TSR) ranking when measured against the FTSE 250 (excluding investment trusts). If
the Group’s TSR is consistent with the median group, 20% of the award will vest; below this level, none of the award element will vest. If the TSR
is within the upper quartile or above, 100% of the award element will vest; between the median and upper quartile, vesting is determined on a
straight-line basis.
Options granted between October 2022 and November 2022 have three separate vesting conditions as set out below:
•
60% will vest based on achieving an average increase in Group EPS of 18% or more over a three year period. If growth is equal to an average of
6% (threshold), then 15% of the award will vest. If, however, growth is less than 6% per annum, none of the award element will vest. Between
these two points, vesting is determined on a straight-line basis.
•
20% will vest based on achieving a cash conversion ratio
1
expressed as a percentage over the measurement period of greater than 80% per annum
on average. If cash conversion
1
is greater than or equal to 90% per annum, then 100% of the award element will vest. If, however, cash conversion is
less than 80% per annum, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis.
•
20% will vest based on the Group’s total shareholder return (TSR) ranking when measured against the FTSE 250 (excluding investment trusts). If
the Group’s TSR is consistent with the median group, 15% of the award will vest; below this level, none of the award element will vest. If the TSR
is within the upper quartile or above, 100% of the award element will vest; between the median and upper quartile, vesting is determined on a
straight-line basis.
Options granted between October 2023 and February 2024 have three separate vesting conditions as set out below:
•
40% will vest based on achieving an average increase in Group EPS of 18% or more over a three year period. If growth is equal to an average of
6% (threshold), then 15% of the award will vest. If, however, growth is less than 6% per annum, none of the award element will vest. Between
these two points, vesting is determined on a straight-line basis.
•
20% will vest based on achieving a cash conversion ratio
1
expressed as a percentage over the measurement period of greater than 80% per annum
on average. If cash conversion
1
is greater than or equal to 90% per annum, then 100% of the award element will vest. If, however, cash conversion is
less than 80% per annum, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis.
•
40% will vest based on the Group’s total shareholder return (TSR) ranking when measured against the FTSE 250 (excluding investment trusts). If
the Group’s TSR is consistent with the median group, 15% of the award will vest; below this level, none of the award element will vest. If the TSR
is within the upper quartile or above, 100% of the award element will vest; between the median and upper quartile, vesting is determined on a
straight-line basis.
Options granted during or after June 2024 have three separate vesting conditions as set out below:
•
30% will vest based on achieving an average increase in Group EPS of 18% or more over a three year period. If growth is equal to an average of
6% (threshold), then 15% of the award will vest. If, however, growth is less than 6% per annum, none of the award element will vest. Between
these two points, vesting is determined on a straight-line basis.
•
20% will vest based on achieving a cash conversion ratio
1
expressed as a percentage over the measurement period of greater than 80% per annum
on average. If cash conversion
1
is greater than or equal to 90% per annum, then 100% of the award element will vest. If, however, cash conversion is
less than 80% per annum, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis.
•
50% will vest based on the Group’s total shareholder return (TSR) ranking when measured against the FTSE 250 (excluding investment trusts). If
the Group’s TSR is consistent with the median group, 15% of the award will vest; below this level, none of the award element will vest. If the TSR
is within the upper quartile or above, 100% of the award element will vest; between the median and upper quartile, vesting is determined on a
straight-line basis.
March 2020
3 years
June 2022–August 2024
£nil
—
May 2021
3 years
June 2023–August 2025
£nil
—
November 2021
3 years
June 2024–November 2031
£nil
—
October 2022
3 years
October 2025–October 2032
£nil
677,916
November 2022
3 years
November 2025–November 2032
£nil
—
October 2023
3 years
October 2026–October 2033
£nil
1,606,795
February 2024
3 years
February 2027–February 2034
£nil
65,412
June 2024
3 years
October 2027–June 2034
£nil
2,839,374
January 2025
3 years
January 2028–January 2035
£nil
78,185
1 Cash conversion is an Alternative Performance Measure (APM) and not an IFRS measure. See Appendix 1 for an explanation of APMs and adjusting items, including a reconciliation to
statutory information.
Financial statements
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 149

24 Share-based payments continued
Restricted Share Plan (RSP) – equity settled
The vesting condition for the award of RSPs relates to colleagues remaining with the Group for a certain period of time, namely two years to receive
50% of the award, and a further year to receive the remaining 50%. There are no other performance conditions.
May 2021
2/3 years
50% exercisable August 2022 to August 2031,
November 2021
2/3 years
50% exercisable October 2023 to August 2032,
October 2022
2/3 years
50% exercisable October 2024 to October 2032,
November 2022
2/3 years
50% exercisable November 2024 to November 2032,
October 2023
2/3 years
50% exercisable September 2025 to September 2033,
February 2024
2/3 years
50% exercisable February 2026 to February 2034,
January 2025
2/3 years
50% exercisable January 2027 to February 2035,
July 2025
2/3 years
50% exercisable July 2027 to July 2035,
Deferred share scheme – equity settled
At least 35% of any cash bonus payment is normally deferred into shares or nominal cost share options which vest after a two year period. Dividend
equivalents are paid on vesting share options. From January 2025, 35% of any bonus payment earned in excess of £50,000 (the first £50,000 of any
bonus will be paid in cash before any bonus deferral) is normally deferred into shares or nominal cost share options which vest after a two year period.
of options
Exercisable in
October 2022
2 years
October 2024
£nil
—
October 2023
2 years
October 2025
£nil
12,207
August 2024
2 years
August 2026
£nil
174,434
December 2024
2 years
December 2026
£nil
92,559
Phantom schemes – cash settled
Phantom schemes are used to allow the grant of LTIPs or RSPs to members of the Executive Committee or other senior colleagues based in certain
overseas locations at a time when the Group’s option scheme rules are not structured to allow overseas grants. Options granted on or after
September 2019 do not have any performance criteria.
July 2021
3 years
August 2022–July 2031
£nil
—
November 2021
3 years
October 2023–November 2031
£nil
—
January 2025
3 years
February 2026–November 2035
£nil
9,776
Measurement of fair values
The fair value of services received in return for share options is calculated with reference to the fair value of the award on the date of grant. The fair
value is spread over the period during which the colleague becomes unconditionally entitled to the award, adjusted to reflect actual and expected
levels of vesting.
The assumptions used in the models are illustrated in the tables below:
Scheme
Grant date
CSOP scheme
August 2018–September 2019
7 years
0.35%–2.00%
Sharesave scheme
May 2021–July 2025
3 years
0.13%–5.53%
ESPP scheme
May 2024–July 2025
1 year
4.63%–5.53%
ISO scheme
September 2019
7 years
0.38%
LTIP scheme
March 2020–January 2025
3 years
0.21%
RSP scheme
May 2021–July 2025
10 years
N/A
Deferred shares
October 2022–December 2024
2 years
N/A
Phantom schemes
July 2021–January 2025
3 years
5.53%
NCC Group plc — Annual report and accounts for the year ended 30 September 2025150
Notes to the Financial Statements continued
for the year ended 30 September 2025

24 Share-based payments continued
Measurement of fair values continued
Scheme
Grant date
CSOP scheme
August 2018–September 2019
£0.55–£0.63
£0.55
£1.79 – £2.09
£1.79
N/A
Sharesave scheme
May 2021–July 2025
£0.39–£0.86
£0.51
£0.9 9 – £2.15
£1.12
£0.52
ESPP scheme
May 2024–July 2025
£0.34–£0.37
£0.34
£1.09–£1.23
£1.23
£0.34
ISO scheme
September 2019
£0.54
£0.54
£1.82
£1.82
N/A
LTIP scheme
March 2020–January 2025
£0.90–£2.31
£1.30
£nil
£nil
£1.30
RSP scheme
May 2021–July 2025
£0.90–£2.85
£1.22
£nil
£nil
£1.29
Deferred shares
October 2022–December 2024
£1.11– £1.55
£1.46
£nil
£nil
£1.34
Phantom schemes
July 2021–January 2025
£1.36 –£2.87
£1.36
£nil
£nil
£1.36
LTIP schemes that include market conditions have been valued using a Monte Carlo simulation. All other schemes without market conditions have
been valued using the Black-Scholes model.
The expected volatility has been based on an evaluation of the historical volatility of the Company’s share price, particularly over the historical period
commensurate with the expected term. The expected term of the instruments has been based on historical experience and general option holder
behaviour. For the options granted in the year ended 30 September 2025, dividend yield assumed at the time of option grant is 3.62% (2024: 4.52%).
Reconciliation of outstanding share options
The options outstanding at 30 September 2025 have an exercise price in the range of £nil to £2.15 (2024: £nil to £2.15) and a weighted average
contractual life of seven years (2024: seven years).
The following table illustrates the number and weighted average exercise prices (WAEP) of, and movements in, outstanding share awards during the year:
Outstanding at beginning of year/period
13,562
£0.33
11, 2 20
£0.61
Granted during the year/period
2,997
£0.34
10,474
£0.23
Exercised during the year/period
(1,156)
£0.28
(2,049)
£0.23
Forfeited in the year/period
(3,371)
£0.44
(6,083)
£0.70
Outstanding at end of year/period
12,032
£0.31
13,562
£0.33
Exercisable at end of year/period
1,356
£0.53
1,690
£0.48
Number of
instruments
as at
30 September
in the year 2025
CSOP schemes
161,998
—
—
(55,862)
106,136
Sharesave/SAYE schemes
3,142,015
824,011
(75,537)
(829,289)
3,061,200
ESPP schemes
360,960
70,413
(204,492)
(165,403)
61,478
ISO schemes
21,976
—
—
(5,494)
16,482
LTIP schemes
7,011, 251
78,185
(158,772)
(1,662,982)
5,267,682
RSP scheme
2,675,796
1,922,037
(715,543)
(651,838)
3,230,452
Deferred shares
186,641
92,559
—
—
279,200
Phantom schemes
1,500
9,776
(1,500)
—
9,776
13,562,137
2,996,981
(1,155,844)
(3,370,868)
12,032,406
The liability for cash settled share-based payments at 30 September 2025 was £nil (2024: £nil).
Financial statements
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 151

25 Called up share capital and reserves
Ordinary shares of 1p each at the beginning of the year/period
314,524,630
312,128,892
3.1
3.1
Ordinary shares of 1p each issued in the year/period
481,449
2,395,738
—
—
Ordinary shares of 1p each at the end of the year/period
315,006,079
314,524,630
3.1
3.1
During the year, 481,449 (2024: 2,395,738) new ordinary shares of 1p were issued as a result of the exercise of share options. The proceeds of
£0.3m (2024: £0.3m) were credited to the share premium account.
As at 30 September 2025, 8,485,195 shares were held in treasury (2024: 5,158,090).
Share premium
The share premium account records the difference between the nominal amount of shares issued and the fair value of the consideration received.
The share premium account may be used for certain purposes specified by UK law, including to write off expenses incurred on any issue of shares
and to pay fully paid bonus shares. The share premium account is not distributable but may be reduced by special resolution of the Company’s
ordinary shareholders and with court approval.
Merger reserve
The merger reserve arose in 2015 from the acquisition of Accumuli plc through a share-for-share exchange in part consideration for the business.
Currency translation reserve
The results of overseas operations are translated at the average foreign exchange rates for the year, and their balance sheets are translated at the
rates prevailing at the Balance Sheet date. Exchange differences arising on the translation of opening net assets and results of overseas operations
are recognised in the currency translation reserve. All other exchange differences are included in the Income Statement.
On disposal of a foreign operation, the cumulative amount of exchange differences previously recognised in other comprehensive income and
accumulated in equity is reclassified to the Income Statement. See Note 31 for further details.
Retained earnings
Retained earnings for the Group are made up of accumulated reserves.
For the Company, retained earnings are made up of accumulated reserves.
26 Other financial commitments
At the end of the reporting year, the Group had no other financial commitments (2024: £nil).
27 Contingencies
There are no contingent liabilities not provided for at the end of the financial year (2024: £nil). Similarly, there are no contingent assets (2024: £nil).
The Company and its subsidiaries are party to cross guarantees securing certain bank loans. At 30 September 2025, there was no material impact
that could arise for the Company from these cross guarantees.
28 Pension scheme
The Group operates a defined contribution pension scheme that is open to all eligible colleagues. The pension cost charge for the year represents
contributions payable by the Group to the fund and amounted to £7.4m (2024: £8.0m).
For the Company, the pension cost charge for the year represents contributions payable by the Company to the fund and amounted to £nil (2024: £nil).
29 Related party transactions
Management has defined related party transactions as those involving key management personnel only.
Key management personnel have been assessed to be the Group’s Board of Directors. During the year ended 30 September 2025 there were
seven (2024: nine) key management personnel. Disclosures relating to remuneration of Directors are set out in the Remuneration Report on
pages 81 to 93. The remuneration of the key management personnel is set out below:
Salary costs (including bonus)
2.2
2.7
—
—
Social security costs
0.3
0.4
—
—
Share-based payments
—
0.3
—
—
Total
2.5
3.4
—
—
There were no other related party transactions identified during the year. The amount of gains made by Directors on the exercise of share options is
disclosed in the Remuneration Report on page 87.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025152
Notes to the Financial Statements continued
for the year ended 30 September 2025

30 Investments in subsidiary undertakings
At 1 June 2023
279.1
Increase in subsidiary investment for share-based charges
2.3
Increase in subsidiary investment for below market value loan arrangement
9.7
At 30 September 2024
291.1
Increase in subsidiary investment for share-based charges
2.1
At 30 September 2025
293.2
In accordance with IAS 36 ‘Impairment of Assets’, management annually reviews the carrying value of investments to ensure that it does not exceed
the recoverable amount. The investment in subsidiary undertakings is held against the Company’s direct subsidiary NCC Group Holdings Limited.
In performing this assessment, management considered external market factors, such as the Group’s market capitalisation, and internal factors,
such as the results of the Group’s annual goodwill impairment review. As of the reporting date, no indicators of impairment were noted.
The increase in subsidiary investment for share-based charges represents IFRS 2 ‘Share-based Payment’ charges in respect of subsidiaries which
will not be recharged.
Fixed asset investments are recognised at cost.
The undertakings in which the Company has a 100% interest at 30 September 2025 are as follows:
Subsidiary undertakings
Country of incorporation
Principal activity
Registered office
NCC Group Holdings Limited
England and Wales
Holding company
XYZ Building, 2 Hardman Boulevard,
M3 3AQ (XYZ
1
)
NCC Group (Solutions) Limited
England and Wales
Holding company
XYZ
1
NCC Group Corporate Limited
England and Wales
Corporate cost centre
XYZ
1
NCC Group Finance Limited
England and Wales
Financing company
XYZ
1
The National Computing Centre Limited
England and Wales
Dormant
XYZ
1
NCC Group Software Resilience Limited
England and Wales
Holding company
XYZ
1
NCC Group Software Resilience (UK) Limited
England and Wales
Holding company
XYZ
1
NCC Services Limited
England and Wales
Escode
XYZ
1
NCC Group Escrow Limited
England and Wales
Dormant
XYZ
1
NCC Group Software Resilience (Europe) B.V.
Netherlands
Holding company
Barbara Strozzilaan 201, 1083HN
NCC Group GmbH
Germany
Escode
c/o Deloitte Legal
NCC Group Deutschland GmbH
Germany
Cyber Security
Leopoldstrasse Business Centre GmbH,
NCC Group Escrow Europe B.V.
Netherlands
Escode
Barbara Strozzilaan 201, 1083HN
NCC Group Escrow Europe (Switzerland) AG
Switzerland
Escode
Ibelweg 18A, 6300 Zug, Switzerland
NCC Group Software Resilience (MEA-APAC) Limited
England and Wales
Holding company
XYZ
1
NCC Group FZ-LLC
United Arab Emirates
Escode
F01-004, Building 5, Dubai, Media City,
NCC Group Cyber Security Limited
England and Wales
Holding company
XYZ
1
NCC Group Cyber Security (UK) Limited
England and Wales
Holding company
XYZ
1
NCC Group Security Services Limited
England and Wales
Cyber Security
XYZ
1
NCC Group Audit Limited
England and Wales
Cyber Security
XYZ
1
ArmstrongAdams Limited
England and Wales
Cyber Security
XYZ
1
NCC Group Signify Solutions Limited
England and Wales
Cyber Security
XYZ
1
NCC Group Accumuli Security Limited
England and Wales
Cyber Security
XYZ
1
NCC Group Cyber Security (Europe) B.V.
Netherlands
Holding company
Olof Palmestraat 6, 2616 LM Delft,
Netherlands (Fox-IT
3
)
NCC Group A/S
Denmark
Cyber Security
Lautruphøj 1, 2750 Ballerup, Denmark
NCC Group Cyber Portuguesa, Unipessoal, LDA
Portugal
Cyber Security
Av. António Augusto de Aguiar nº 19 –
NCC Group Security Services Espana SLU
Spain
Cyber Security
Plaza Manuel Gómez Moreno, número 2,
B,
2802
0, Madrid, Spain
Financial statements
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 153

The undertakings in which the Company holds less than a 100% interest at the year end are as follows:
Undertaking
% interest
Country of incorporation
Principal activity
Deposit AB
24%
Sweden
Escode
The Directors consider the above ownership structure to give rise to no significant influence over the undertaking. There is no Board
representation, and the Group has no power to participate in the operating and financial policy decisions of the undertaking. Accordingly, the
undertaking of Deposit AB has not been consolidated.
1 2 Hardman Boulevard, Spinningfields, Manchester, England M3 3AQ.
2 11 East Adams Street, Suite 400, Chicago, IL 60603, USA.
3 Olof Palmestraat 6, 2616 LM Delft, Netherlands.
Disposal of Group undertakings
During the prior period, the Group disposed of its 3.35% shareholding in an unlisted company. The shares were sold for a total consideration of
£0.4m. A gain of £0.1m was recognised within the Income Statement in relation to this disposal. There has been no impact in the current year.
A further potential contingent consideration may be received after two years, subject to specific performance conditions. As this payment is not
considered virtually certain at the reporting date, it has not been recognised in the current year’s Financial Statements. If achieved, the maximum
additional amount receivable would be £0.2m.
30 Investments in subsidiary undertakings continued
Subsidiary undertakings
Country of incorporation
Principal activity
Registered office
Cyber Assurance Sweden AB
Sweden
Cyber Security
c/o Advokatfirman Delphi, P.O. Box
143
2, 111 84 Stockholm
Fox-IT Holding B.V.
Netherlands
Holding company
Olof Palmestraat 6, 2616 LM Delft,
Netherlands (Fox-IT
3
)
Fox-IT Group B.V.
Netherlands
Holding company
Fox-IT
3
Fox-IT B.V.
Netherlands
Cyber Security
Fox-IT
3
NCC Group Cyber Security (APAC) Limited
England and Wales
Holding company
XYZ
1
NCC Group Pte Limited
Singapore
Cyber Security
Unit #10-09 PLUS Building, 20 Cecil
NCC Group Pty Limited
Australia
Cyber Security
Suite 23.01, Level 23, 45 Clarence
Escode Australia Pty Limited
Australia
Software Resilience
Suite 23.01, Level 23, 45 Clarence
NCC Group Japan KK
Japan
Cyber Security
Level 18, Yesibu Garden Place Tower,
NCC Group (Americas) Inc.
USA
Holding company
11 East Adams Street, Suite 400
IL
6
0
603, USA
(North America HQ
2
)
NCC Group, LLC
USA
Escode and central/
North America HQ
2
NCC Group Cyber Security (Americas), LLC
USA
Holding company
North America HQ
2
NCC Group Security Services, Inc.
USA
Cyber Security
North America HQ
2
NCC Group Secure Registrar, Inc.
USA
Domain services
North America HQ
2
NCC Group Domain Services, Inc.
USA
Domain services
North America HQ
2
NCC Group Security Services Corporation
Canada
Cyber Security
Suite
270
0, The Stack, 1133 Melville St,
Payment Software Company, Inc.
USA
Cyber Security
North America HQ
2
Payment Software Company Limited
England and Wales
Cyber Security
XYZ
1
NCC Group Software Resilience (Americas) LLC
USA
Holding company
North America HQ
2
NCC Group Escrow Associates, LLC
USA
Escode
North America HQ
2
NCC Group Software Resilience (NA), LLC
USA
Escode
North America HQ
2
NCC Group Asia, Inc.
Philippines
Cyber Security
37F Seven/NEO, 4th Avenue Bonifacio
1634,
Philippines
NCC Group plc — Annual report and accounts for the year ended 30 September 2025154
Notes to the Financial Statements continued
for the year ended 30 September 2025

31 Disposals
Current year disposal of Fox Crypto business
At 30 September 2024, the assets and liabilities associated with the planned disposal of Fox Crypto were classified as held for sale (for further
details please refer to Note 16).
On 28 March 2025, the Group completed the disposal of its entire 100% interest in Fox Crypto, a foreign operation, for total cash consideration of
£65.6m. Following completion, no interest was retained in the entity, and no contingent consideration was recognised.
The disposal resulted in an overall gain of £9.8m, recognised within Individually Significant Items (see Note 4 for further details).
The assets and liabilities included as part of the disposal were as follows:
Attributable goodwill
(52.1)
Intangible fixed assets
(0.1)
Tangible fixed assets
(1.0)
Right-of-use assets
(0.6)
Inventories
(0.5)
Trade and other receivables
(6.2)
Contract assets
(2.2)
Cash and cash equivalents
(4.2)
Trade and other payables
2.7
Deferred revenue
2.8
Lease liabilities
0.6
Provisions
0.6
Cumulative currency translation adjustment
7.9
Net assets disposed of
(52.3)
Total consideration
65.6
Transaction costs incurred in the year ended 30 September 2025
(2.0)
Gain on disposal – recognised as an Individually Significant Item (Note 4)
11.3
Transaction costs incurred during the 16 month period ended 30 September 2024
(1.5)
Total transaction costs
(3.5)
Overall gain on disposal (Note 4)
9.8
Cash and cash equivalents
65.6
Total consideration
65.6
As part of the disposal, £7.9m of foreign currency translation reserve relating to Fox Crypto was reclassified from equity to the Income Statement
and recognised within the gain on disposal. The net cash inflow on disposal was £61.4m, comprising gross consideration of £65.6m less £4.2m of
cash disposed of on completion.
A gain on disposal of £11.3m has been recognised within ISIs in the year ended 30 September 2025. An additional £1.5m of related transaction
costs were recognised in ISIs in the 16 month period ended 30 September 2024, bringing the total gain on disposal to £9.8m. Overall, total
transaction costs total £3.5m, including the £2.0m incurred in the year ended 30 September 2025.
Since completion of the deal, £0.1m of income has been earned under a six month transactional services agreement (TSA); this brings the overall
gain on disposal recognised in relation to the disposal of Fox Crypto within FY25’s ISIs to £11.4m. Please refer to Note 4.
Financial statements
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 155

31 Disposals continued
Prior period disposal of DetACT business
On 30 April 2024, the Group completed the disposal of its DetACT business for a total cash consideration of £8.2m.
The assets and liabilities included as part of the disposal were as follows:
Attributable goodwill
(5.9)
Intangible fixed assets
(1.4)
Trade and other receivables
(1.5)
Trade and other payables
0.1
Deferred revenue
2.8
Deferred tax liability
0.3
Net assets disposed of
(5.6)
Consideration
8.2
Transaction costs
(1.0)
Gain on disposal – recognised as an Individually Significant Item (Note 4)
1.6
Cash and cash equivalents
8.2
Total consideration
8.2
32 Audit exemption
The subsidiary undertakings listed below are exempt from the Companies Act 2006 requirements relating to the audit of their individual accounts by
virtue of section 479A of the Act as this Company has guaranteed the subsidiary company under section 479C of the Act.
Company name
Company registration no.
NCC Group Software Resilience (MEA-APAC) Limited
13295784
ArmstrongAdams Limited
04270584
NCC Group Software Resilience Limited
13247183
NCC Group Software Resilience (UK) Limited
13298310
NCC Group Accumuli Security Limited
03203561
NCC Group Audit Limited
04323323
NCC Group Corporate Limited
13247138
NCC Group Cyber Security limited
13287219
NCC Group Cyber Security (APAC) Limited
13294684
NCC Group Holdings Limited
13325653
NCC Group Signify Solutions Limited
03915262
NCC Group (Solutions) Limited
03742757
Payment Software Company Limited
10059024
NCC Group Finance Limited
13350193
NCC Group Escrow Limited
03081952
The National Computing Centre Limited
04225835
NCC Group Cyber Security (UK) Limited
13294277
The Directors acknowledge their responsibility for complying with the requirements of the Companies Act 2006 with respect to accounting records
and preparation of accounts.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025156
Notes to the Financial Statements continued
for the year ended 30 September 2025

Appendix 1 – Alternative Performance Measures (APMs) and adjusting items
The consolidated Financial Statements include Alternative Performance Measures (APMs) alongside statutory measures. APMs used by the Group
are not defined under IFRS and may not be comparable to similarly titled measures reported by other companies. They are not intended to replace
or be superior to Generally Accepted Accounting Practice (GAAP) measures. All APMs relate to the current year’s results and, where provided,
comparative periods.
This presentation is consistent with how management measures financial performance and reports to the Board. It also forms the basis for financial
measures used in senior management’s compensation schemes and provides supplementary information to help users understand the Group’s
financial performance, position and trends. At all times, the Group aims to ensure that the Annual Report and Accounts gives a fair, balanced and
understandable view of the Group’s performance, cash flows and financial position. IAS 1 ‘Presentation of Financial Statements’ requires the
separate presentation of items that are material in nature or scale in order to allow the user of the Financial Statements to understand underlying
business performance.
We believe these APMs provide readers with important additional information on our business, and this information is relevant for use by investors,
securities analysts and other interested parties as supplemental measures of future potential performance. However, since statutory measures can
differ significantly from the APMs and may be assessed differently by the reader we encourage you to consider these figures together with statutory
reporting measures noted. Specifically, we would note that APMs may not be comparable across different companies and that certain profit related
APMs may exclude recurring business transactions (e.g. acquisition related costs) that impact financial performance and cash flows.
The Group continues to internally manage its performance at an Adjusted operating profit level (before Individually Significant Items), which
management believes represents the underlying trading of the business. This information is still disclosed as an APM within this Annual Report. This
APM is reconciled to statutory operating profit, together with the consequently Adjusted basic EPS (before Individually Significant Items and the tax
effect thereon) to statutory basic EPS. Please see page 54 of the Financial Review section.
The Group has the following APMs/non-statutory measures:
APM
Closest equivalent
IFRS measure
Adjustments to reconcile
to IFRS measure Definition, purpose and considerations made by the Directors
Income Statement measures:
Constant currency
revenue growth
rates
Revenue
growth rates
at actual rates
of currency
exchange
Retranslation of comparative numbers
at current period exchange rates to
provide constant currency
The Group reports certain geographic regions and service
capabilities on a constant currency basis to reflect the underlying
performance considering constant foreign exchange rates year on
year. This involves retranslating comparative numbers at current period
rates for comparability to enable a growth factor to be calculated.
Adjusted operating
profit
Operating profit
or loss
Operating profit or loss before
Individually Significant Items
Represents operating profit before Individually Significant Items.
This measure is to allow the user to understand the Group’s
underlying financial performance as measured by management.
Individually Significant Items are items that are considered unusual
by nature or scale and are of such significance that separate
disclosure is relevant to understanding the Group’s financial
performance and therefore requires separate presentation in the
Financial Statements in order to fairly present the financial
performance of the Group.
Adjusted profit
for the period
Profit or loss for
the period
Profit or loss for the period before
Individually Significant Items and
associated tax effects and adjusted
tax items
Represents profit or loss for the period before Individually
Significant Items and their associated tax effect and adjusted
taxitems.
This measure is to allow the user to calculate the Group’s Adjusted
earnings per share.
Adjusted earnings
before interest, tax,
depreciation and
amortisation
(Adjusted EBITDA)
Operating profit
or loss
Operating profit or loss before ISIs,
depreciation and amortisation, finance
costs and taxation
Represents operating profit before the Group’s one adjusting item
(ISIs), depreciation and amortisation to assist in the understanding
of the Group’s performance.
Adjusted EBITDA is disclosed as this is a measure widely used by
various stakeholders and used by the Group to measure the cash
conversion ratio.
Adjusted basic
EPS
Statutory
basic EPS
Statutory basic EPS before Individually
Significant Items and their associated
tax effect and adjusted tax items
Represents basic EPS before Individually Significant Items and
their associated tax effect and adjusted tax items.
This measure is to allow the user to understand the Group’s
underlying financial performance as measured by management,
reported to the Board and used as a financial measure in senior
management’s compensation schemes.
Financial statements
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 157

Balance Sheet measures:
Net cash/debt
excluding lease
liabilities
Total
borrowings
(excluding
lease liabilities)
offset by cash
and cash
equivalents
Represents total borrowings (excluding lease liabilities) offset by
cash and cash equivalents. It is a useful measure of the progress in
generating cash, strengthening of the Group Balance Sheet position,
overall net indebtedness and gearing on a like-for-like basis.
Net cash/debt, when compared to available borrowing facilities, also
gives an indication of available financial resources to fund potential
future business investment decisions and/or potential acquisitions.
Net cash/debt Total
borrowings
(including lease
liabilities) offset
by cash and
cash
equivalents
Represents total borrowings (including lease liabilities) offset by
cash and cash equivalents. It is a useful measure of the progress
in generating cash, strengthening of the Group’s Balance Sheet
position, overall net indebtedness and gearing including
leaseliabilities.
Net cash/debt, when compared to available borrowing facilities, also
gives an indication of available financial resources to fund potential
future business investment decisions and/or potential acquisitions.
Cash flow measures:
Cash conversion
ratio
Ratio % of net
cash flow from
operating
activities before
interest and tax
divided by
operating profit
Ratio % of net cash flow from
operating activities before interest and
tax divided by Adjusted EBITDA
The cash conversion ratio is a measure of how effectively
operating profit is converted into cash and effectively highlights
both non-cash accounting items within operating profit and also
movements in working capital.
It is calculated as net cash flow from operating activities before
interest and taxation (as disclosed on the face of the Cash Flow
Statement) divided by Adjusted EBITDA.
The cash conversion ratio is a measure widely used by various
stakeholders and hence is disclosed to show the quality of cash
generation and also to allow comparison to other similar companies.
Appendix 1 – Alternative Performance Measures (APMs) and adjusting items continued
APM
Closest equivalent
IFRS measure
Adjustments to reconcile
to IFRS measure Definition, purpose and considerations made by the Directors
NCC Group plc — Annual report and accounts for the year ended 30 September 2025158
Notes to the Financial Statements continued
for the year ended 30 September 2025

Glossary of terms – other terms
Other terms Definition and usage
Code Guidance, issued by the Financial Reporting Council in 2016 and updated in 2018, on how companies
should be governed, applicable to UK listed companies including NCC Group plc.
Adjusted Any result described as adjusted excludes the impact of Individually Significant Items, and any tax on
any of these items.
Adjusted profit for the period Adjusted earnings are defined as statutory earnings before Individually Significant Items, net of the tax
effect of these items.
Adjusted operating profit margin
1
Calculated as Adjusted operating profit divided by revenue.
AGM Annual General Meeting of shareholders of the Company held each year to consider ordinary and
special business as provided in the Notice of AGM.
Alternative Performance Measure
(APM)
An Alternative Performance Measure (which is denoted in each case or use thereof by a footnote)
isanon-GAAP performance metric used by management either internally or externally to present
management’s view of the underlying business performance. They are not superior to GAAP-based
measures and are simply an alternative way of looking at performance. See Appendix 1 for further
information over the Group’s APMs.
Board The Board of Directors of the Company (for more information see pages 62 and 63).
Cash conversion ratio
1
Calculated as cash generated from operating activities before interest and taxation divided by Adjusted
EBITDA
1
, expressed as a percentage.
CDO Cyber Defence Operations.
CEO Chief Executive Officer.
CFO Chief Financial Officer.
CISO Chief Information Security Officer.
Company, Group, NCC, we, our or us We use these terms, depending on the context, to refer to either NCC Group plc, the individual
Company, or to NCC Group plc and its subsidiaries collectively.
CPO Chief People Officer.
CTO Chief Technology Officer.
Directors, Executive Directors and
Non-Executive Directors
The Directors/Executive Directors and Non-Executive Directors of the Company whose names are set
out on pages 62 and 63 of this report.
EBIT Earnings before interest and tax.
EBIT margin % EBIT margin % is calculated as follows: Adjusted EBIT divided by revenue.
EBITDA Earnings before interest, tax, depreciation and amortisation. Calculated as operating profit before
Individually Significant Items and adding back depreciation and amortisation charged.
EBITDA margin % EBITDA divided by revenue.
EPS Earnings per share. Profit for the period attributable to equity shareholders of the Parent allocated to
each ordinary share.
FCA Financial Conduct Authority.
Financial year For NCC Group, following the change in year end in the prior period, this is an accounting period
ending on 30 September.
FRC Financial Reporting Council.
Free cash flow Net cash from operating activities less net capital expenditure and acquisition costs.
FRS A UK Financial Reporting Standard as issued by the UK Financial Reporting Council (FRC).
FVLCTS Fair value less costs to sell.
Gross profit Gross profit is revenue less direct costs of sale. It excludes costs considered to be overheads that are
supporting the business as a whole as opposed to a specific revenue item.
Gross margin % (GM %) Calculated as gross profit divided by revenue from continuing activities.
HMRC His Majesty’s Revenue & Customs, the tax collecting authority of the UK.
Additional information
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 159

IAS or IFRS An International Accounting Standard or International Financial Reporting Standard, as issued by the
International Accounting Standards Board (IASB). IFRS is also used as the term to describe
international generally accepted accounting principles as a whole.
Individually Significant Items Items that the Directors consider to be material in nature, scale or frequency of occurrence that need to
be excluded when calculating some non-statutory performance measures in order to allow users of the
Financial Statements to gain a full understanding of the underlying business performance. See Note 4
for further information.
PricewaterhouseCoopers (PwC) The Company’s external auditor, PwC LLP.
LTIP Long Term Incentive Plan established to align the interests of senior and executive management with
those of shareholders. The plan is formally known as the NCC Group Long Term Incentive Plan 2013
(approved by shareholders in 2013).
MD Managing Director.
MDR Managed Detection and Response.
Net debt
1
Total borrowings offset by cash and cash equivalents.
Ordinary shares Voting shares entitling the holder to part ownership of a company.
SAYE/Sharesave Save As You Earn, being a tax efficient scheme to encourage colleague share ownership.
Escode Escode represents our escrow resilience services.
Subsidiary A company or other entity that is controlled by NCC Group.
TSC Technical Security Consulting.
TSR Total shareholder return, which is share price growth plus dividends reinvested (where applicable) over
a specified period of time, divided by the share price at the start of the period.
1 Revenue at constant currency, Adjusted EBITDA and net debt excluding lease liabilities are Alternative Performance Measures (APMs) and not IFRS measures. See Appendix 1 for an
explanation of APMs and adjusting items, including a reconciliation to statutory information.
Glossary of terms – other terms continued
Other terms Definition and usage
NCC Group plc — Annual report and accounts for the year ended 30 September 2025160

Other information
Directors
Chris Stone – Non-Executive Chair
Mike Maddison – Chief Executive Officer
Guy Ellis – Chief Financial Officer
Julie Chakraverty – Senior Independent Non-Executive
Director
Jennifer Duvalier – Independent Non-Executive Director
Mike Ettling – Independent Non-Executive Director
Lynn Fordham – Independent Non-Executive Director
Company Secretary
Jonathan Williams
Registered Group and Company head office
XYZ Building
2 Hardman Boulevard
Spinningfields
Manchester
England
M3 3AQ
Registered number
04627044
Registered in England and Wales
Joint brokers and corporate finance advisers
Investec Bank plc
30 Gresham Street
London
EC2V 7QP
Peel Hunt LLP
Moor House
120 London Wall
London
EC2Y 5ET
Independent auditor
PricewaterhouseCoopers LLP
1 Hardman Square
Manchester
M3 3EB
Solicitors
DLA Piper UK LLP
1 St Peter’s Square
Manchester
M2 3DE
Registrar
Equiniti
Aspect House
Spencer Road
Lancing
West Sussex
BN99 6DA
Bankers
HSBC UK Bank plc
2nd Floor
4 Hardman Square
Spinningfields
Manchester
M3 3EB
National Westminster Bank plc
1 Hardman Boulevard
Manchester
M3 3AQ
Barclays Bank plc
1 Churchill Place
London
E14 5HP
Santander UK plc
2 Triton Square
Regent’s Place
London
NW1 3AN
Additional information
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 161

Financial calendar
AGM 3 March 2026
Ex-dividend date 12 March 2026
Record date 13 March 2026
2026 half-year end 31 March 2026
Dividend payment date 10 April 2026
2026 interim statement June 2026
2026 year end 30 September 2026
2026 preliminary year end statement December 2026
These dates are provisional and may be subject to change.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025162

Produced by Design Portfolio www.design-portfolio.co.uk
NCC Group plc’s commitment to environmental issues is reflected
in this Annual Report, which has been printed on Amadeus, an FSC
®
certified material.
This document was printed by Pureprint Group using its
environmental print technology, with 99% of dry waste diverted
from landfill, minimising the impact of printing on the environment.
The printer is a CarbonNeutral
®
company. Both the printer and
thepaper mill are registered to ISO 14001.

NCC Group plc Annual report and accounts for the year ended 30 September 2025

NCC Group plc Annual report and accounts for the year ended 30 September 2025