Vodafone 2026 Annual Report

Vodafone Group Plc Annual Report 2026

Strategic report

Governance

Financials

Other information

Principal risks and uncertainties continued Mitigating activities

The global risk framework provides a consistent approach to measuring and managing our risks by considering their potential impact, likelihood, and our tolerance. It is important to establish the context and to understand the environment in which we operate. We categorise our risks into different risk types (strategic, technology and operations, financial, legal and regulatory) and identify whether the source of the threat is internal or external. This helps us effectively treat risks by avoiding, transferring, mitigating, or accepting them. Furthermore, this categorisation allows us to provide appropriate oversight and assurance for each of our risks. Each risk is assigned to an executive risk owner, who is responsible for implementing adequate controls and necessary treatment plans to manage risks within acceptable tolerance levels. While risk owners are responsible for implementing mitigations, the ARC and RCC provide oversight of the risk management strategy and challenge risk tolerance levels through in‑depth risk reviews. Refer to pages 60 and 62 for more detail on our principal risks. Read more about the Audit and Risk Committee on pages 92 to 97

Adverse changes in the external regulatory and policy environment We employ continuous horizon scanning to monitor geopolitical, legal, and regulatory developments, using structured intelligence and active engagement with policymakers, regulators, customers, and stakeholders to shape policy outcomes. We adapt our internal controls, strengthen governance, and safeguard our strategic position where required so that Vodafone remains resilient in a rapidly changing external environment.

Adverse macroeconomic, liquidity, funding, and market risk We have a resilient business model. We continue to actively monitor the possibility of economic downturns, which could manifest differently across our jurisdictions. For our consumers who might be affected, we offer competitive options and social plans in our markets. We have the longest average life of debt amongst European peers, which reduces refinancing requirements, and all our bond debt is effectively held at fixed interest rates.

Adverse market competition We monitor competitive dynamics across markets and adapt through stronger brand positioning, improved customer experience, targeted infrastructure investment, enhanced propositions, and the use of second brands in the value segment. Partnerships with leading technology companies and protections under the Digital Markets Act help safeguard customer ownership, while we secure spectrum, expand 5G and FTTH coverage, and continue to upgrade our cable networks to sustain performance. Network resilience Our network resilience relies on a set of mitigations designed to prevent, detect, and recover from disruptions. These include geo-redundant architecture, diverse fibre routes, highly meshed core and backhaul networks to minimise single points of failure, and on-site intervention equipment. Vodafone is enhancing battery backup in key sites to safeguard critical voice and data services during grid outages. Resilience by design principles supported by testing strengthen our operational readiness.

Cyber threat Our cyber security strategy has a risk and control framework to manage cyber risk to our networks and services. Our framework aims to identify, protect against, respond to, and recover from threats. We measure control effectiveness across all parts of the Company and have an in-house team of experts in cyber security. We embed security by design into our products, services, and internal operations. Protective controls reduce the likelihood and impact of most threats. When attacks do succeed, we prioritise rapid response to minimise business and customer impact. Root cause analysis then drives continuous improvement and actionable remediation. Click to read more about our approach to cyber security in our fact sheet: vodafone.com/cyber Strategic transformation execution Our transformation programmes are critical to delivering our growth ambitions, while also enabling cost transparency and driving efficiencies. Rigorous transformation and operational governance are in place to oversee large-scale activities and ensure disciplined delivery. Work continues to address operational complexities, optimise resource allocation, and focus efforts on the priorities that will deliver the greatest impact for our customers.

Data Management and Privacy Our data and privacy strategies are designed to continually reduce the risks. We regularly conduct reviews of our significant privacy and data risks and use insights from incidents to improve our ability to safeguard data and protect stakeholders. We use the outcomes to prevent, detect, and respond to the risks on a prioritised basis. Read more about our approach to data management and privacy on pages 50 and 51

IT resilience and transformation Our global policy, supported by Key Performance Indicators (‘KPIs’), outlines the steps to quickly recover our most critical technology assets following a disaster. The adoption of cloud computing is enhancing the distribution of our systems. We have prioritised the delivery of IT transformation and modernisation programmes, adopting incremental delivery to improve governance and realise benefits sooner.

Legal and Regulatory risk We continue to strengthen our compliance posture through updated policies, enhanced internal controls, and structured compliance monitoring across markets. Ongoing horizon scanning, targeted training, and active engagement with regulators allow early identification of risks and necessary actions, while reinforced governance and cross- functional accountability support consistent adherence to regulatory requirements across our footprint.

Supply chain disruption We are closely monitoring the evolution of the geopolitical environment. This enables us to prepare and respond to emerging challenges and to comply with evolving regulations, economic sanctions, and trade rulings. We also mitigate our exposure through supplier diversification for critical services, multi-year contracts with key suppliers, demand, and inventory planning in anticipation of extended lead times and continuing to execute our optimisation strategy for network infrastructure logistics.