Vodafone 2026 Annual Report

Vodafone Group Plc Annual Report 2026

Strategic report

Governance

Financials

Other information

Maintaining Trust continued

together security leaders across industry and government. We made progress across our cyber strategy, including refreshing policies; implementing Key Risk Indicators for security controls; launching a new supplier security schedule and simplified requirements; and refreshing our strategy with a focus on resilience. We also increased the use of automation and AI, delivering more operational efficiency and automated response. Vodafone Germany launched a new Cyber Security Centre in Düsseldorf, aiming to support and protect SMEs in the digital world. The Centre will employ more than 100 security experts, working around the clock to protect, monitor, analyse and resolve cyber security issues for companies throughout the country. We have continued to organise cyber incident simulations for local ExCos. Covering five markets this year. This provide CEOs and their teams a realistic experience of managing a cyber incident and exercising their responsibilities. Cyber risk remains a standing topic for senior leadership. Cyber topics were covered three times at Board-level committees during the year. People and culture are central to our cyber capability, We set targets and track diversity and inclusion measures. We recognise deep technical expertise through our Technical Career Path, with several cyber specialists ratified. During the year no cyber incident met the threshold for disclosure to the SEC. About one-third of incidents we managed were in our supply chain. Ransomware and extortion attacks were the most prevalent in the supply chain. Third party companies producing third party software developer packages have been attacked. In March, we identified that one of these compromised third party software packages was used to gain unauthorised access to some Vodafone Business code repositories. The impact

We classify security incidents on a scale according to severity, measured by potential business and customer impact. The highest severity category of event is called Severity 0 down to the lowest Severity 4. Severity 0 corresponds to a potentially significant data breach or loss of service caused by the incident. If a Severity 0 incident occurs, we notify the ExCo, the Board and external auditors and provide regular updates to all. A crisis group is formed composed of relevant senior leaders who oversee the response. Vodafone is in scope of the SEC cybersecurity rule for incident disclosure and reporting. We have updated our incident management process to include the relevant disclosure steps should a material incident occur. Where applicable we have expanded these cyber security disclosures in response to the reporting requirements. In the event of a Severity 0 incident, the crisis group would decide whether a recommendation to the Disclosure Committee (composed of the CFO and General Counsel, and other senior management) is warranted. The Committee would decide if a market disclosure is necessary for materiality reasons, that would also trigger disclosure to the SEC. When incidents are closed, we complete a post-incident review to learn the lessons from the incident, including the root cause and any improvements needed. This Year We evolved our organisation to better support our security ambitions. This included embedding Privacy engineering to create a Security and Privacy by design capability, and bringing together IT and security architecture to provide consistency across our systems. We continue to build strong partnerships across industry and government. One of the cyber leadership team was appointed to the ENISA Advisory Group. In the UK we co-hosted an industry and government workshop on post- quantum cryptography migration, bringing

Cyber security training is reinforced by regular digital communications via our internal social media platform, videos and webinars. When new threats arise or become more prevalent we provide targeted advice. Examples include reminders on the use of multi-factor authentication, and how to avoid social engineering. We perform quarterly phishing simulations across all markets and Group functions to raise awareness and train employees. Those who click on the link in the phishing message or share their credentials receive immediate training. NIS2 requires additional security role-specific training. We are developing such training aimed at roles designated as higher risk, that will be launched next year. We enable employees in our cyber teams to maintain and grow their skills to better protect our customers. Our company learning platform hosts cyber training on technical topics, platforms and frameworks. Employees can study towards recognised information security and cyber certifications aligned to their learning plans. We organise regular Cyber Connect events for our entire global cyber security team. These events include a recap of our strategy and achievements, messages from senior leadership, external industry speakers, collaborative breakout groups and technical track sessions to learn about cyber topics and best practice. We use technology to enable a hybrid experience with some attending in offices and some remote. The Vodafone Cyber Code has been designed to simplify and explain basic security controls and procedures to all employees. The Cyber Code is part of our company Code of Conduct and is the cornerstone of how we expect all employees to behave when it comes to best practice in cyber security. It consists of seven areas where employees must follow good security practice. Click to read more about Vodafone’s Cyber Code in our Code of Conduct: vodafone.com/code-of-conduct

Cyber operations and incidents An important part of our operating model is to gather intelligence and insights in order to assess threats and drive action. Our cyber security team use industry and external analysis to help shape our controls and procedures, and drive actions. When specific vendor or new high impact vulnerabilities are reported, we drive global remediation across Vodafone. As a global connectivity provider, we see a range of cyber threats. We have visibility of these threats through our global telemetry. We use our layers of controls to identify and mitigate threats in order to reduce business or customer impact. We operate a single global security operations capability. We handle billions of events and logs from sensors across our footprint, detecting potential threats and events. Low severity issues are dealt with quickly, for example by malware containment or isolating an individual device. More significant events are triaged to our 24/7 incident management and response team. When a security incident occurs, we have a consistent incident management framework to manage our response and recovery. The focus of our incident responders is always fast risk mitigation and customer security. In the event of a cyber breach we disclose it to the relevant authorities according to local or regional regulations and laws. This may include law enforcement as well as regulators. Risk assessment of the threat actor, incident nature and potential impact to customers is important to determine the approach to disclosure. The European Union’s GDPR provides a framework for notifying customers in the event there is a loss of customer data because of a data breach, and this framework is a baseline across all our markets. Our data privacy officers are a key part of the response where incidents impact personal data. We will also make a market disclosure according to US Securities and Exchange Commission (SEC) requirements if the relevant materiality threshold is met.