Cybersecurity Risk Management and Strategy Disclosure	12 Months Ended
Dec. 31, 2025
Cybersecurity Risk Management, Strategy, and Governance [Line Items]
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]	Cyber-attacks are acknowledged to be a growing threat across all industries. There is likely to be an increased risk of information security or cybersecurity incidents, including cyber-attacks as a result of increased global tensions. The Group has adopted a holistic strategy which seeks to protect our data, people, products, and customers through a combination of people, processes, technology, and governance. As we increasingly incorporate AI functionality into our systems and products, we recognise the importance of robust governance frameworks to ensure ethical, secure and compliant AI deployment. We are investing in additional technologies and engage third-party expertise for added support. Our dedicated cybersecurity team is led by a CISSP-certified Chief Information Security Officer (CISO) with over 25 years of experience. We manage the risk of evolving threats through proactive measures and continuous updates to our defences. Our hybrid security strategy covers potential entry points, including networks, systems, applications, and devices, which aims to ensure protection for the Group and create a resilient defence against cyber threats. Cyber risk is a Board priority and the CISO actively participates in Audit Committee and Executive Committee meetings. They are also responsible for offering updates and oversight on the information and cybersecurity strategy and reporting material cybersecurity risks and mitigation strategies to the Board and its subcommittees. Additionally, the CISO chairs the Security and Privacy Steering Committee comprising business stakeholders, including, but not limited to, legal, compliance, finance, internal audit, risk management and human resources. The committee has overall approval and sign-off of security and privacy policies, which allows for focused discussions and strategy alignment for both security and privacy. The committee provides necessary updates to the Board where required. The CISO is also a member of several industry groups, including the Threat Intelligence and Information sharing, Manufacturing, NHS Supply Chain and Life Sciences trust groups which have been built and delivered by the UK National Cyber Security Centre (NCSC), alongside the global industry focused Health Information Sharing and Analysis Centre (H-ISAC). Participation in these environments allows for networking and sharing of cyber-related risks and issues to raise cyber resilience across the sector. The Group’s cybersecurity risk management processes, including identification, assessment, documentation and mitigation, have been integrated into our overall ERM system. This is achieved through both the top-down process driven by our Executive Committee which have identified Cybersecurity as one of our principal risks as well as the bottom-up IT risk register maintained by members of the cybersecurity team (refer to page 79 for additional detail on the Group’s risk management process). Further, the cybersecurity function has defined processes for handling information security and cybersecurity incidents, incorporating analysis and prioritisation mechanisms aligned with enterprise risk management. During an incident, the information security team continuously monitors and assesses the impact on the organisation. Predefined thresholds trigger the formation of a subcommittee, bringing together a cross-functional team which includes information security, information technology, legal, compliance and communications expertise. This subcommittee manages the assessment of materiality, invocation of crisis management, Executive Committee and Board engagement, and assessment of requirements for regulatory notifications. The Group’s cybersecurity risk management processes include assessment and oversight of AI systems, ensuring that risks associated with AI such as data privacy, algorithmic bias, and unintended outcomes, are identified, assessed and documented, with mitigation plans put in place in alignment with governance processes. The cybersecurity function collaborates with AI governance leads to define processes for monitoring, incident response, and regulatory compliance specific to AI technologies. In the event of a major cybersecurity incident, including those with a material impact on the Group, the CISO, supported by internal and/or external legal advisers and other third-party specialist advisers as appropriate, coordinates the engagement on the cyber incident response with the executive and crisis management teams. The CISO is also a key member of the crisis management team who supports on coordinating and communicating with the Board. Recognising cybersecurity and AI governance as a multifaceted discipline, the Group emphasises a continuous improvement approach, measured via annual security and AI governance assessments, penetration testing, vulnerability scanning and audits using a dedicated 24x7 security platform and monitoring through the internal audit function. The Group uses a wide variety of information systems, programmes, and technology to secure and manage its business. The Group also develops and sells digitally enabled products, some of which connect to networks and/or the internet. Layered security is implemented to prevent, detect, and respond to threats to minimise the risk and disruption of intrusions. Access to systems and services are protected using multi-factor authentication over virtual private networks (VPN) connected back into the Group network to safeguard remote access. Robust governance practices are in place across the information security and cyber function, including an assessment of suppliers’ and vendors’ security and compliance posture prior to the onboarding and activation of any service. Active monitoring of third-party providers is implemented on a 24x7 basis, by utilising a dedicated service via a market-leading third party, reducing the risk of supply chain attacks. The information and cybersecurity function conducts an annual mandatory information security awareness training programme for Group employees, covering topics such as physical security, email security, data privacy, ransomware guidance, phishing, AI governance, ethical AI use, responsible data handling in AI-enabled environments, and general online safety. While the Group strives for effective governance and measures, there is no assurance against future interruptions that could potentially disrupt business operations, divert staff resources and attention and materially adversely affect the organisation’s performance. Throughout 2025, there were no cybersecurity incidents identified which materially affected or are reasonably likely to materially affect the Group’s business strategy, results of operations or financial condition and no incidents have been reported to regulatory authorities during this period. It is not possible to eliminate all risks from cybersecurity threats or provide assurances that we have not experienced an undetected cybersecurity incident. For more information about these risks, please see page 280 ‘Risk Factors – Cybersecurity’ in this Annual Report.
Cybersecurity Risk Management Processes Integrated [Flag]	true
Cybersecurity Risk Management Processes Integrated [Text Block]	The Group’s cybersecurity risk management processes, including identification, assessment, documentation and mitigation, have been integrated into our overall ERM system. This is achieved through both the top-down process driven by our Executive Committee which have identified Cybersecurity as one of our principal risks as well as the bottom-up IT risk register maintained by members of the cybersecurity team (refer to page 79 for additional detail on the Group’s risk management process). Further, the cybersecurity function has defined processes for handling information security and cybersecurity incidents, incorporating analysis and prioritisation mechanisms aligned with enterprise risk management. During an incident, the information security team continuously monitors and assesses the impact on the organisation. Predefined thresholds trigger the formation of a subcommittee, bringing together a cross-functional team which includes information security, information technology, legal, compliance and communications expertise. This subcommittee manages the assessment of materiality, invocation of crisis management, Executive Committee and Board engagement, and assessment of requirements for regulatory notifications.
Cybersecurity Risk Management Third Party Engaged [Flag]	true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]	true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]	false
Cybersecurity Risk Board of Directors Oversight [Text Block]	Cyber risk is a Board priority and the CISO actively participates in Audit Committee and Executive Committee meetings. They are also responsible for offering updates and oversight on the information and cybersecurity strategy and reporting material cybersecurity risks and mitigation strategies to the Board and its subcommittees. Additionally, the CISO chairs the Security and Privacy Steering Committee comprising business stakeholders, including, but not limited to, legal, compliance, finance, internal audit, risk management and human resources. The committee has overall approval and sign-off of security and privacy policies, which allows for focused discussions and strategy alignment for both security and privacy. The committee provides necessary updates to the Board where required.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]	Audit Committee and Executive Committee
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]	Cyber risk is a Board priority and the CISO actively participates in Audit Committee and Executive Committee meetings. They are also responsible for offering updates and oversight on the information and cybersecurity strategy and reporting material cybersecurity risks and mitigation strategies to the Board and its subcommittees. Additionally, the CISO chairs the Security and Privacy Steering Committee comprising business stakeholders, including, but not limited to, legal, compliance, finance, internal audit, risk management and human resources. The committee has overall approval and sign-off of security and privacy policies, which allows for focused discussions and strategy alignment for both security and privacy. The committee provides necessary updates to the Board where required
Cybersecurity Risk Role of Management [Text Block]	Our dedicated cybersecurity team is led by a CISSP-certified Chief Information Security Officer (CISO) with over 25 years of experience. Cyber risk is a Board priority and the CISO actively participates in Audit Committee and Executive Committee meetings. They are also responsible for offering updates and oversight on the information and cybersecurity strategy and reporting material cybersecurity risks and mitigation strategies to the Board and its subcommittees. Additionally, the CISO chairs the Security and Privacy Steering Committee comprising business stakeholders, including, but not limited to, legal, compliance, finance, internal audit, risk management and human resources. The committee has overall approval and sign-off of security and privacy policies, which allows for focused discussions and strategy alignment for both security and privacy. The committee provides necessary updates to the Board where required. The CISO is also a member of several industry groups, including the Threat Intelligence and Information sharing, Manufacturing, NHS Supply Chain and Life Sciences trust groups which have been built and delivered by the UK National Cyber Security Centre (NCSC), alongside the global industry focused Health Information Sharing and Analysis Centre (H-ISAC). Participation in these environments allows for networking and sharing of cyber-related risks and issues to raise cyber resilience across the sector. In the event of a major cybersecurity incident, including those with a material impact on the Group, the CISO, supported by internal and/or external legal advisers and other third-party specialist advisers as appropriate, coordinates the engagement on the cyber incident response with the executive and crisis management teams. The CISO is also a key member of the crisis management team who supports on coordinating and communicating with the Board.
Cybersecurity Risk Management Positions or Committees Responsible [Flag]	true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block]	the Security and Privacy Steering Committee comprising business stakeholders, including, but not limited to, legal, compliance, finance, internal audit, risk management and human resources. The committee has overall approval and sign-off of security and privacy policies, which allows for focused discussions and strategy alignment for both security and privacy.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block]	Our dedicated cybersecurity team is led by a CISSP-certified Chief Information Security Officer (CISO) with over 25 years of experience.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]	The Group’s cybersecurity risk management processes, including identification, assessment, documentation and mitigation, have been integrated into our overall ERM system. This is achieved through both the top-down process driven by our Executive Committee which have identified Cybersecurity as one of our principal risks as well as the bottom-up IT risk register maintained by members of the cybersecurity team (refer to page 79 for additional detail on the Group’s risk management process). Further, the cybersecurity function has defined processes for handling information security and cybersecurity incidents, incorporating analysis and prioritisation mechanisms aligned with enterprise risk management. During an incident, the information security team continuously monitors and assesses the impact on the organisation. Predefined thresholds trigger the formation of a subcommittee, bringing together a cross-functional team which includes information security, information technology, legal, compliance and communications expertise. This subcommittee manages the assessment of materiality, invocation of crisis management, Executive Committee and Board engagement, and assessment of requirements for regulatory notifications.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]	true

Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Cyber-attacks are acknowledged to be a growing threat across all industries. There is likely to be an increased risk of information security or cybersecurity incidents, including cyber-attacks as a result of increased global tensions. The Group has adopted a holistic strategy which seeks to protect our data, people, products, and customers through a combination of people, processes, technology, and governance. As we increasingly incorporate AI functionality into our systems and products, we recognise the importance of robust governance frameworks to ensure ethical, secure and compliant AI deployment. We are investing in additional technologies and engage third-party expertise for

added support. Our dedicated cybersecurity team is led by a CISSP-certified Chief Information Security Officer (CISO) with over 25 years of experience.

We manage the risk of evolving threats through proactive measures and continuous updates to our defences. Our hybrid security strategy covers potential entry points, including networks, systems, applications, and devices, which aims to ensure protection for the Group and create a resilient defence against cyber threats.

Cyber risk is a Board priority and the CISO actively participates in Audit Committee and Executive Committee meetings. They are also responsible for offering updates and oversight on the information and cybersecurity strategy and reporting material cybersecurity risks and mitigation strategies to the Board and its subcommittees. Additionally, the CISO chairs the Security and Privacy Steering Committee comprising business stakeholders, including, but not limited to, legal, compliance, finance, internal audit, risk management and human resources. The committee has overall approval and sign-off of security and privacy policies, which allows for focused discussions and strategy alignment for both security and privacy. The committee provides necessary updates to the Board where required.

The CISO is also a member of several industry groups, including the Threat Intelligence and Information sharing, Manufacturing, NHS Supply Chain and Life Sciences trust groups which have been built and delivered by the UK National Cyber Security Centre (NCSC), alongside the global industry focused Health Information Sharing and Analysis Centre (H-ISAC). Participation in these environments allows for networking and sharing of cyber-related risks and issues to raise cyber resilience across the sector.

The Group’s cybersecurity risk management processes, including identification, assessment, documentation and mitigation, have been integrated into our overall ERM system. This is achieved through both the top-down process driven by our Executive Committee which have identified Cybersecurity as one of our principal risks as well as the bottom-up IT risk register maintained by members of the cybersecurity team (refer to page 79 for additional detail on the Group’s risk management process). Further, the cybersecurity function has defined processes for handling information security and cybersecurity incidents, incorporating analysis and prioritisation mechanisms aligned with enterprise risk management. During an incident, the information security team continuously monitors and assesses the impact on the organisation. Predefined thresholds trigger the formation of a subcommittee, bringing together a cross-functional team which includes information security, information technology, legal, compliance and communications expertise. This subcommittee manages the assessment of materiality, invocation of crisis management, Executive Committee and Board engagement, and assessment of requirements for regulatory notifications.

The Group’s cybersecurity risk management processes include assessment and oversight of AI systems, ensuring that risks associated with AI such as data privacy, algorithmic bias, and unintended outcomes, are identified, assessed and documented, with mitigation plans put in place in alignment with governance processes. The cybersecurity function collaborates with AI governance leads to define processes for monitoring, incident response, and regulatory compliance specific to AI technologies.

In the event of a major cybersecurity incident, including those with a material impact on the Group, the CISO, supported by internal and/or external legal advisers and other third-party specialist advisers as appropriate, coordinates the engagement on the cyber incident response with the executive and crisis management teams. The CISO is also a key member of the crisis management team who supports on coordinating and communicating with the Board.

Recognising cybersecurity and AI governance as a multifaceted discipline, the Group emphasises a continuous improvement approach, measured via annual security and AI governance assessments, penetration testing, vulnerability scanning and audits using a dedicated 24x7 security platform and monitoring through the internal audit function.

The Group uses a wide variety of information systems, programmes, and technology to secure and manage its business. The Group also develops and sells digitally enabled products, some of which connect to networks and/or the internet. Layered security is implemented to prevent, detect, and respond to threats to minimise the risk and disruption of intrusions. Access to systems and services are protected using multi-factor authentication over virtual private networks (VPN) connected back into the Group network to safeguard remote access.

Robust governance practices are in place across the information security and cyber function, including an assessment of suppliers’ and vendors’ security and compliance posture prior to the onboarding and activation of any service. Active monitoring of third-party providers is implemented on a 24x7 basis, by utilising a dedicated service via a market-leading third party, reducing the risk of supply chain attacks.

The information and cybersecurity function conducts an annual mandatory information security awareness training programme for Group employees, covering topics such as physical security, email security, data privacy, ransomware guidance, phishing, AI governance, ethical AI use, responsible data handling in AI-enabled environments, and general online safety.

While the Group strives for effective governance and measures, there is no assurance against future interruptions that could potentially disrupt business operations, divert staff resources and attention and materially adversely affect the organisation’s performance. Throughout 2025, there were no cybersecurity incidents identified which materially affected or are reasonably likely to materially affect the Group’s business strategy, results of operations or financial condition and no incidents have been reported to regulatory authorities during this period.

It is not possible to eliminate all risks from cybersecurity threats or provide assurances that we have not experienced an undetected cybersecurity incident. For more information about these risks, please see page 280 ‘Risk Factors – Cybersecurity’ in this Annual Report.

Cybersecurity Risk Management Processes Integrated [Text Block]

The Group’s cybersecurity risk management processes, including identification, assessment, documentation and mitigation, have been integrated into our overall ERM system. This is achieved through both the top-down process driven by our Executive Committee which have identified Cybersecurity as one of our principal risks as well as the bottom-up IT risk register maintained by members of the cybersecurity team (refer to page 79 for additional detail on the Group’s risk management process). Further, the cybersecurity function has defined processes for handling information security and cybersecurity incidents, incorporating analysis and prioritisation mechanisms aligned with enterprise risk management. During an incident, the information security team continuously monitors and assesses the impact on the organisation. Predefined thresholds trigger the formation of a subcommittee, bringing together a cross-functional team which includes information security, information technology, legal, compliance and communications expertise. This subcommittee manages the assessment of materiality, invocation of crisis management, Executive Committee and Board engagement, and assessment of requirements for regulatory notifications.

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Board of Directors Oversight [Text Block]

Cyber risk is a Board priority and the CISO actively participates in Audit Committee and Executive Committee meetings. They are also responsible for offering updates and oversight on the information and cybersecurity strategy and reporting material cybersecurity risks and mitigation strategies to the Board and its subcommittees. Additionally, the CISO chairs the Security and Privacy Steering Committee comprising business stakeholders, including, but not limited to, legal, compliance, finance, internal audit, risk management and human resources. The committee has overall approval and sign-off of security and privacy policies, which allows for focused discussions and strategy alignment for both security and privacy. The committee provides necessary updates to the Board where required.

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

Cyber risk is a Board priority and the CISO actively participates in Audit Committee and Executive Committee meetings. They are also responsible for offering updates and oversight on the information and cybersecurity strategy and reporting material cybersecurity risks and mitigation strategies to the Board and its subcommittees. Additionally, the CISO chairs the Security and Privacy Steering Committee comprising business stakeholders, including, but not limited to, legal, compliance, finance, internal audit, risk management and human resources. The committee has overall approval and sign-off of security and privacy policies, which allows for focused discussions and strategy alignment for both security and privacy. The committee provides necessary updates to the Board where required

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

Our dedicated cybersecurity team is led by a CISSP-certified Chief Information Security Officer (CISO) with over 25 years of experience.

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true