i Table of contents 254

Vodafone 2026 Annual Report

52 Vodafone Group Plc Annual Report 2026

Strategic report

Governance

Financials

Other information

Maintaining Trust continued

Cyber Strategy

security controls, and manage information security certifications. The Strategy and Architecture team define our cyber strategy, aligned to the technology and company strategies. They lead IT and security architecture to deliver secure, resilient and efficient platforms. The Secure by Design, Investments & Supplier team implement security and privacy by design across all products and services. They manage cyber risk in partner markets, acquisitions and divestments, and identify and reduce supplier risk. The Cyber Prevent team build, maintain and operate our global security platforms, driving continuous improvement. The Cyber Defence team gather threat intelligence and perform security testing. They detect events and attacks through 24/7 monitoring and respond to incidents to minimise impact on business and customers. We have cyber teams in each operating company. They are responsible for managing and embedding cyber security locally, including meeting local cyber regulatory and compliance requirements. We augment our internal capabilities with third- party specialist technical expertise, such as digital forensics, red teaming and penetration testing. We use specialist resources to perform testing of our telecommunications networks. We also use qualified external resources to help during the implementation of projects. Our scale means we benefit from global collaboration, technology sharing and deep expertise, and ultimately have greater visibility of emerging threats. An example would be our global security operations centre that takes inputs and telemetry from all markets where we operate to provide global visibility. Click to listen to our experts summarise our approach to cyber security at vodafone.com/videos

Secure connectivity & network defence: Secure by design and resilient connectivity for customers across our fixed and mobile networks, fintech platforms, digital channels and all services. Dynamic trust: Identity, access and insider controls that provide access aligned to role, timing and need across people, systems and agents. Real-time threat protection: Visibility through global telemetry and operations enable rapid detection and response. Our people are enabled by responsible AI and automation. Supply chain and ecosystem security: Security by default and embedded simplified security standards across the supplier and partner ecosystem. People, capability & cyber culture: Accountability and training deliver a company-security culture. A globally aligned, highly skilled and technically enabled cyber capability. Cyber resilience: Risk-led readiness to withstand changing threats and minimise impact to customers and services. We continue to review and evolve our strategy. Each year we define and communicate priorities for a three-year period, so all areas of our business are clear on the investment priorities for security. We track progress against these priorities. Operating model We have implemented a globally consistent cyber security operating model that is based on the leading industry security standards published by the US National Institute of Standards and Technology (‘NIST’). The model is designed to reduce risk by constantly identifying threats, protecting, defending and improving our security. The model brings together our local capabilities across Europe and Africa with global resources organised in five functional teams. Our in-house international team has over 900 employees. The Governance, Risk and Control team set policies and standards, oversee and measure our cyber risk across the Group, define and evaluate

Our cyber security strategy and global operating model are designed to deliver our vision and goals, and form part of our wider Company strategy. Cyber security remains a Board level priority. The strategy and operating model are based on an understanding that cyber risk is volatile and attacks will sometimes be successful. Good cyber security requires persistent and continuous effort. Our refreshed cyber strategy builds on our security foundations and strategic initiatives, with an emphasis on resilience and collaboration in an increasingly unpredictable world. The strategy takes account of future threats and changes in technology so it remains fit for purpose over the next five years and beyond. We are committed to building and maintaining customer trust against a backdrop of an increasingly uncertain and volatile threat landscape. We cannot control all threats, but we can prepare for them and minimise their impact through cyber resilience. We view cyber resilience as our ability to anticipate, withstand, recover and adapt to unexpected and severe cyber events. Our strategy is guided by four ambitions; embed security and resilience by design in all that we do; anticipate and reduce critical cyber risks; effective security at pace; and build a trusted and resilient ecosystem for customers, partners and society. We are delivering the strategy through seven pillars. Together, these enable customer trust in our products and services, deliver our vision of a secure and resilient connected future for everyone, and guide company-wide changes. Adaptive and accelerated cyber health: Sustaining cyber health with an accelerated pace of protection, detection and response. Adapting to volatile risks, enabling new technology and meeting changing regulations.

Our vision is a secure and resilient connected future for everyone. The vision drives our ambition to protect what matters most across our network, products and services. We are motivated to provide sustained cyber security and resilience because we know it underpins customer trust and protects critical national infrastructure. We aim to shape a secure society and an inclusive future for all.

900+ global cyber team employees

Powered by