Vodafone 2026 Annual Report

Maintaining Trust continued 56 Vodafone Group Plc Annual Report 2026

Strategic report

Governance

Financials

Other information

complete migration by 2035. Through our joint research with IBM, we have developed a risk-based approach to mitigate the risks of existing cryptography. We are identifying where we are using cryptography that is potentially vulnerable to attack from quantum computers, defining supplier requirements and developing the ability to update our cryptography when new threats emerge. We have set up a long-term Quantum Safe programme and have planned migration activities in the next year in collaboration with our suppliers. We co-chairs the telecommunications industry- wide task force on this issue. We are committed to Responsible AI – AI that is ethical, lawful, trustworthy and safe. Our AI requirements mandate risk assessment, designing for transparency, lack of bias and providing the right degree of human oversight of results. If the AI model could have a high impact on people, we require human input on the final decision. . Read more about AI governance on page 51 Our cyber security approach seeks to balance the opportunities and security risks associated with AI. We work with strategic partners to leverage AI that is embedded into products. We apply governance and security controls to the use of AI proportionate to the associated risks, and monitor for emerging threats, including the misuse of AI by malicious actors. We enable our workforce to access AI through controlled access to LLMs from our technology partners. We provide training including online sessions and self-help materials to accelerate AI usage, while continuing to restrict access to public LLMs and remind employees that confidential data must not be shared with public AI services. We are using AI to enhance our security. An example is augmenting our security operations capabilities using AI-enabled detection rules and AI-assisted compromise assessments. These will evolve towards agentic AI workflows and ultimately autonomous detection and response.

implementing and testing the necessary security controls and procedures. Every new mobile network generation has brought increased performance and capability, along with new opportunities in security. As we deploy 5G core networks alongside our 5G radio networks, often described as 5G Standalone, we have updated our security standards to implement the latest 5G features. Open RAN is a new way of building and managing radio access network (‘RAN’) components within telecommunication infrastructure. Instead of purchasing all the components from one supplier, we use hardware and software components from multiple vendors and integrate these via open interfaces. Over time, this will create a more competitive landscape for telecommunications equipment. We continue to collaborate with other players in the Open RAN ecosystem to improve security through the O-RAN Alliance and bi-annual benchmarking of vendors. We are expanding our Open RAN sites into Germany and increasing the speed of deployment through automation. The operation of the sites will be optimised by enabling power management and traffic steering that increase their performance and reduce operating cost. As satellite communications play an increasingly important role in our networks, we are embedding cyber security from the beginning. Satellites are used to connect base stations to the network where traditional connectivity is difficult or uneconomical, and direct to device to provide coverage where base stations cannot be deployed. These services are assessed and validated that they meet security requirements set by standards groups, and our own policies and standards. We continue to prepare for a time when quantum computers able to break certain cryptography are available at scale. Governments have published recommendations for post-quantum cryptography migration for high priority use cases, and to

Governments are also responding to increasing cyber threats with new security regulations, recognising that telecommunications operators provide critical national infrastructure. We engage with governments and industry partners to promote proportionate, risk-based and cost- effective solutions to security threats. We look to establish shared approaches to reinforce standardisation and regulatory frameworks that apply equally to all market participants. In the UK, we are implementing the provisions of the Telecommunications Security Act which sets detailed security requirements for UK network operators and their suppliers. In Europe, we are implementing key provisions of NIS2 based on transposition of the directive into local laws. We are also responding to DORA requirements from our financial services customers. We continue to monitor future EU regulations and directives including the forthcoming Cyber Resilience Act which aims to ensure that all digital products and services fulfil basic security requirements, and the Cyber Security Act which will impact how we manage suppliers and cross-EU certifications. Particularly in Europe, governments, regulators and customers will expect companies to demonstrate control over where data is stored, who can access it and under which legal jurisdictions it is governed. This is referred to as sovereignty. There is a balance to be struck between national sovereignty and the ability to defend against global threats that do not respect borders. As new regulatory requirements evolve, we are well positioned with a pan-European and African security capability, including Europe-based security operations. Technology evolution We are adopting new technologies to better serve our customers and gain operational efficiency. For every technology programme we follow our Secure by Design process, evaluating suppliers’ hardware and software, modelling threats and understanding the risks before designing,

of the attack was limited access to source code, which was contained and investigated at the time. We did not identify any impact to customer personal data or production systems. Generally we see that the most common root causes are exploitation of vulnerabilities and user account compromise. The pace of vulnerability exploitation post-release is rapid. Looking Ahead The threat landscape continues to be volatile across all sectors, with wide-ranging threat actors. Geopolitical instability, conflict and tensions are leading to an increase in cyber threats. Telecommunications companies continue to be the target of state-backed actors, often to conduct government oriented or general espionage. Cross-industry and government collaboration is a key part of mitigating the evolving cyber threats. Ransomware and data extortion attacks are common to companies of all sizes. We can see from public reporting that some companies are paying ransoms, perpetuating the threat. Attackers are increasingly trying to log in, rather than hack in. So-called Living off the Land attacks rely on the same techniques used to manage access systems that are used widely by everyone. Detection of these attacks is more challenging. Social engineering methods are a common means for attackers to gain access. New technologies such as AI are enhancing techniques such as voice phishing and deepfakes. Harvested credentials continue to be sought and shared by threat actors. Attackers can target executives following media announcements and public reporting. The speed of vulnerability exploitation is fast and common. We have seen continued attacks against our suppliers, and expect this trend to continue. To respond to the heightened cyber threat landscape we are investing in further strengthening the security of our networks, cloud-based systems, AI and detection and response capability.