OneSpan Inc. (OSPN) Business

Item 1 – Business

Overview

OneSpan helps organizations build secure, seamless, and trusted digital experiences through two solution portfolios: Cybersecurity and Digital Agreements. Our cybersecurity solutions protect identities, secure mobile apps, and safeguard access through advanced high-assurance authentication, threat intelligence, fraud prevention, and robust mobile app protection, defending users, devices, and applications against sophisticated attacks. Our digital agreement solutions streamline agreement workflows with secure e-signatures, identity verification, and smart digital forms, built to enable speed, compliance and exceptional customer experiences. Trusted by leading global enterprises, including more than 60% of the world’s 100 largest banks, OneSpan processes over 100 million digital agreements and billions of secure authentication transactions across more than 120 countries each year.

We offer our products primarily through a subscription licensing model and provide multiple deployment options, including cloud-based and on-premises solutions. Our solutions are sold worldwide through our direct sales force, as well as through distributors, resellers, systems integrators, and original equipment manufacturers.

We report our financial results under the following two business divisions, which are our reportable operating segments: Cybersecurity and Digital Agreements.

•Cybersecurity. Cybersecurity, formerly Security Solutions, consists of our broad portfolio of software products, software development kits ("SDKs") and Digipass authenticator devices that are used to build applications designed to defend against attacks on digital transactions across online environments, devices, and applications. The software products and SDKs included in the Cybersecurity segment are delivered through on-premises and cloud-based deployment models and include standards-based authentication technologies such as Fast Identity Online ("FIDO") authentication and passkeys, multi-factor authentication, transaction signing solutions and mobile application security.

•Digital Agreements. Digital Agreements consists of solutions that enable our clients to secure and automate business processes associated with their digital agreement and customer transaction lifecycles that require consent, non-repudiation and compliance. These solutions, which are cloud-based, include OneSpan Sign e-signature, OneSpan Notary, and OneSpan Identity Verification.

Beginning in mid-2023 and through the third quarter of 2024, our focus was on adjusting our cost structure to enable both business divisions to operate profitably. These cost optimization efforts were a major factor in the overall business returning to operating profitability in the fourth quarter of 2023. The subsequent increase in profitability, combined with high levels of cash generation, enabled us to return approximately $31.6 million to shareholders in 2025 in the form of quarterly dividends and share repurchases. Beginning in the fourth quarter of 2024 and continuing through 2025, we continued to operate profitably while taking a number of important steps to generate future revenue growth:

•In December 2024, we hired a new Chief Technology Officer, Ashish Jain, to lead our research and development efforts.

•In June 2025, we acquired Nok Nok Labs, Inc. ("Nok Nok Labs"), a provider of passwordless software authentication solutions, which brought S3, a leading FIDO software product, to our portfolio. This acquisition provides OneSpan's customers with a wider range of flexible, adaptable authentication options. See Note 6, Business Acquisitions, for additional information.

•In June 2025, we entered into a $100.0 million credit agreement (the “Credit Agreement") with MUFG Bank, Ltd ("MUFG") and other lenders party thereto. The Credit Agreement provides for a $100.0 million revolving credit facility with a $10.0 million letter of credit sublimit and a $10.0 million swingline loan sublimit. The proceeds of borrowings under the Credit Agreement may be used for general corporate purposes. We may borrow, repay and reborrow funds under the revolving credit facility until its maturity on June 23, 2030. See Note 12, Debt, for additional information.

1

•In October 2025, we announced a strategic investment in, and partnership with, ThreatFabric Holding B.V., a Dutch company that provides mobile threat intelligence, malware risk detection, and behavioral analytics, to further enhance the value we offer to our customers. See Note 2, Summary of Significant Accounting Policies, for additional information.

•In December 2025, we hired a new Chief Revenue Officer, Shaun Bierweiler, to lead our go-to-market efforts, and to drive growth and customer success.

•Later in December 2025, we entered into a definitive agreement to acquire Build38 GmbH ("Build38"), a leader in next-generation mobile application protection solutions, to extend our investment in advanced mobile security technologies. See Note 6, Business Acquisitions, for additional information.

Our efforts to broaden and strengthen our product offerings are driven in part by a secular shift away from physical authentication devices such as our Digipass tokens. Because consumers increasingly interact with their banks through their mobile devices rather than desktop computers, they are more likely to prefer authentication methods that enable secure, convenient access to mobile banking apps without the need for a physical device. In response to this trend, our bank and financial institution customers have increasingly adopted a “mobile first” approach to consumer authentication that prioritizes the mobile user experience over traditional desktop experiences. This approach has resulted in a reduction of Digipass hardware authenticator sales and an increase in sales of software authentication licenses delivered through software applications on mobile devices. Due largely to the mobile first trend, our revenue from Digipass devices declined from 78% of our revenue in 2015 to 20% of our revenue in 2025. Although we plan to continue to invest in our Digipass authenticators, including our newer FIDO2 Digipass devices, as an important component of our broad authentication solution portfolio, we are focused on driving revenue growth in higher–margin software solutions, both through further expansion of our Cybersecurity software solutions and through continued growth in our Digital Agreements division.

Industry Background

While the continued shift toward cloud-delivered experiences and the rapid adoption of artificial intelligence (“AI”) technologies across industries have accelerated digital engagement, they have also expanded the threat landscape for organizations, their customers, and their employees. People, applications, and the digital records associated with business interactions, transactions, and agreements have become major targets for cyberattacks and fraud. As organizations digitize critical workflows, the security, integrity, and enforceability of these interactions have become increasingly essential to business operations.

Cybersecurity Market Trends

Cybersecurity threats continue to rise in frequency, sophistication, and impact. Attackers are leveraging advanced techniques—including AI-driven phishing, deepfake-enabled impersonation, and social engineering—to exploit weaknesses in digital channels. Account takeover attacks (“ATO”) remain among the fastest‑growing threats, as criminals target customer and workforce authentication processes across digital banking and enterprise applications. Authorized push payment (“APP”) fraud is also accelerating, with fraudsters manipulating individuals and businesses into sending real‑time payments to illegitimate destinations.

At the same time, mobile-first usage has made applications a central attack surface. Organizations increasingly face threats such as malware, reverse engineering, and injection attacks within their mobile apps, prompting a growing need for in-app protections, threat analytics, and mobile application shielding. These risks are compounded by the rise of hybrid work environments, which place additional pressure on organizations to secure employee access through phishing-resistant authentication and comprehensive workforce identity protections.

While organizations seek to safeguard their environments, they must also meet customer expectations for fast, intuitive, and low‑friction digital experiences. This tension between strong security requirements and seamless user experiences continues to challenge enterprises across regulated and unregulated industries.

Digital Agreements Market Trends

The digital agreements market continues to advance as organizations seek to improve efficiency, reduce risk, and meet regulatory requirements in increasingly complex operating environments. As businesses move beyond static,

2

PDF‑based documents, they are shifting toward intelligent, structured, and dynamic digital content that enables greater automation, analytics, and reuse across workflows.

The rise of agentic AI is also reshaping agreement processes. Rather than digitizing legacy steps, enterprises are reconstructing workflows to be adaptive, automated, and AI‑assisted - streamlining multi‑step processes and accelerating digital operations.

At the same time, organizations are reassessing their e‑signature foundations. Many tools adopted rapidly during the COVID era were deployed in silos, offer limited customization, are costly to scale, and, in some cases, introduce additional security risks. As companies consolidate these fragmented deployments, they are prioritizing cost‑effective, enterprise‑wide solutions that support broad use‑case coverage and deliver a lower total cost of ownership.

Our Opportunity

The trends shaping both the cybersecurity and digital agreements markets point to a growing global need for technologies that secure identities, protect critical applications, and ensure the integrity of high-value digital transactions. In cybersecurity, rising threat sophistication, the expansion of mobile and cloud attack surfaces, and the ongoing tension between strong security and user experience are driving demand for robust, friction-resistant authentication and advanced application protection. In parallel, the digital agreements market is undergoing its own transformation as organizations shift toward intelligent documents, AI-driven workflows, and consolidated, enterprise-wide e-signature deployments that reduce cost, improve scalability, and require strong identity verification—particularly as digital wallets and new credential models emerge. Together, these market dynamics create a meaningful opportunity for OneSpan to leverage our global security heritage to deliver identity-assured, trusted solutions that help organizations reduce risk, meet regulatory requirements, and provide intuitive, secure digital experiences across both segments.

Our Products and Services Portfolio

We offer a portfolio of security, authentication, identity, electronic signature, and digital workflow products and solutions through our two business divisions, Cybersecurity and Digital Agreements.

Cybersecurity

Cloud Authentication is a quick-to-deploy, cloud-based multi-factor authentication solution that supports a full range of authentication options including biometrics, push notification, visual cryptograms for transaction data security, SMS, and hardware authenticators. This allows customers to solve strong authentication problems across different endpoints to best meet their unique requirements through a single provider rather than integrating multiple modalities together. It eliminates cost associated with managing legacy on-premises authentication technology and provides a straightforward upgrade path to more comprehensive capabilities such as intelligent adaptive authentication.

Digipass S3 Authentication Software is our authentication platform designed to enable passwordless, phishing-resistant authentication across web and mobile applications. The platform supports standards-based technologies, including FIDO. The software provides adaptive, policy-driven authentication using contextual and device-based signals to balance security and user experience. It offers centralized administration, lifecycle management, analytics, and integration with existing Identity and Access Management ("IAM") and Customer Identity and Access Management ("CIAM") platforms through APIs and out-of-the-box connectors. Digipass S3 Authentication Software can be deployed in cloud or on-premises environments and is designed to support enterprise-scale authentication volumes. Customers use Digipass S3 Authentication Software as part of their digital authentication environments across web and mobile applications.

Mobile Security Suite is a comprehensive SDK and unique single framework that integrates built-in application security to allow for a variety of strong authentication technologies, dynamic linking, WYSIWYS (What-You-See-Is-What-You-Sign), authentication orchestration, and improved authentication user interface. Through a comprehensive library of application programming interfaces ("APIs"), customers can extend and strengthen security for applications, deliver user convenience, and streamline the application deployment and lifecycle management process.

Mobile Application Shielding protects mobile applications from attacks by malware, allowing secure usage of mobile applications even in hostile environments (e.g., on jailbroken mobile phones). The technology helps protect mobile application code against malicious code injection such that if a device becomes infected with malware, the application shielding technology will detect and prevent that code from running.

3

Authentication Server is a comprehensive, centralized, and flexible authentication platform designed to provide full lifecycle management through a single, integrated system. It enables secure multi-factor authentication for digital transactions and user access, supporting a wide range of authentication methods, including biometrics, one-time passwords, and mobile push notifications. By offering broad access to enterprise resources—from SSL VPNs to cloud-based applications—it enhances security while simplifying authentication management for both administrators and end users.

Authentication Suite is a comprehensive solution designed to protect organizations from cyber threats while offering authentication experiences across channels. With a flexible API-driven backend, support for both hardware and software authenticators, and a robust mobile SDK, the suite provides scalable security for high-volume applications like online banking, e-commerce, and gaming. Organizations can tailor authentication methods to meet their unique security needs, leveraging industry standards and technologies such as the FIDO and OATH standards, our Digipass technology, and our Cronto visual transaction signing solution for enhanced protection against sophisticated attacks. Its integration capabilities simplify deployment without disrupting existing systems, while built-in mobile authentication licenses enable secure user access across multiple devices.

Digipass Authenticators are our hardware authenticators, consisting of a wide variety of authentication devices, each of which has its own distinct characteristics to meet the needs of our customers. All models of Digipass authenticators are designed to work together so customers can switch devices without making changes to their existing infrastructure, and they are also fully interoperable with our mobile authentication software. Our Digipass models range from one-button devices and smart card readers to devices that include more advanced technologies, such as public key infrastructure ("PKI") and visual cryptography.

Our Digipass authenticators provide proven multi-factor authentication and transaction data signing. Our newer Digipass FX family of authenticators are FIDO2-certified phishing-resistant passkeys that enable passwordless authentication, significantly reducing the risk of social engineering. Our Digipass FX authenticators use the FIDO2 protocol, employing a private and public key pair system whereby private keys and biometric data never leave the device, thereby avoiding vulnerabilities associated with human error, such as phishing and password reuse.

Digital Agreements

OneSpan Sign, our primary Digital Agreements product offering, supports a broad range of e-signature requirements from simple to complex, and from the occasional agreement to processing tens of thousands of transactions. OneSpan Sign provides multiple public cloud deployment options to meet global data residency needs. The solution is also available in a Federal Risk and Authorization Management Program ("FedRAMP") SaaS-level compliant cloud, allowing U.S. government agencies to implement e- signatures in the cloud and meet General Services Administration ("GSA") security requirements.

Customers can fully "white-label" and configure OneSpan Sign to reinforce their brand for a seamless signing experience. Each step of the digital agreement workflow can be customized, from data capture and agreement creation to signer identification, signature collection, and authentication. OneSpan Sign also provides comprehensive, secure electronic evidence to support strong legal protection by capturing all actions during the agreement process. This reduces the time and cost of gathering evidence and demonstrating legal and regulatory compliance. E-signature capabilities can be a critical component of the account opening and onboarding processes, providing a secure and user-friendly way to execute legally binding agreements.

OneSpan Notary is an online notary solution developed for organizations with in-house notaries. It includes live electronic signature, two-way secured videoconferencing, and strong identity proofing options, like Identity Verification and Knowledge-based Authentication ("KBA"). It also simplifies the notarization process with guided workflows, the ability to upload eNotary Seal, recording, eJournaling, and audit trail capabilities in a single solution. OneSpan Notary is currently available for use in 30 U.S. states.

OneSpan Sign Identity Verification gives banks and other financial institutions access to a wide range of identity verification services – all through a single API integration. This includes identity document (e.g., driver’s license, passport, etc.) capture and real-time authenticity verification, as well as facial comparison (“selfie”) and liveness detection (the ability to detect whether a digital interaction is with a live human being) to establish that the individual presenting the identity document is the same person whose picture appears on the authenticated identity document. Starting January 1, 2024, we began presenting OneSpan Identity Verification in the Digital Agreements segment to reflect the greater alignment of this solution with our Digital Agreements product portfolio.

4

OneSpan Sign Authentication offers a broad set of configurable authentication options designed to help organizations balance user experience, risk, and compliance across the digital agreement lifecycle. The solution provides robust methods to verify both senders and signers, adding essential layers of security to e-signature transactions. Supported authentication options include SMS one‑time passcodes, shared‑secret Q&A, KBA, digital certificates, smart cards, and FIDO passkeys for higher‑risk scenarios. For enhanced assurance, OneSpan Sign also includes government‑issued ID verification, document authenticity checks, and biometric facial comparisons with liveness detection. Whether organizations are orchestrating automated workflows through APIs or sending one‑off signature requests, adding authentication remains a simple yet powerful step to safeguard digital agreements, protect sensitive data, and reinforce trust throughout the signing process.

OneSpan Integration Platform is a modern pre-built platform that enables organizations to easily embed e-signatures powered by OneSpan Sign into well-known applications such as Salesforce, SharePoint, and Guidewire. These pre-built integrations allow organizations to manage an efficient, modern digital agreement process. Customers can automate a wide range of digital agreement workflows by leveraging comprehensive APIs, efficient low-code/no-code automations, and partner-provided integration platform as a service ("iPaaS") solutions, enabling cross‑departmental consistency, operational efficiency, and strong security and compliance controls.

Intellectual Property and Proprietary Rights and Licenses

We rely on a combination of patent, copyright, trademark, design, and trade secret laws, as well as employee and third-party non-disclosure agreements, to protect our intellectual property ("IP") and other proprietary rights. We hold patents which cover multiple aspects of our technology in the U.S., Europe, Japan, China, Hong Kong and other countries. These patents expire between 2026 and 2045. In addition to issued patents, we also have patent applications pending in the U.S., Europe, Japan, China, Hong Kong and other countries. Many of our issued and pending patents are related to our Digipass and Nok Nok Labs product lines. In addition to our owned IP, we license software from third parties for integration into our solutions, including open-source software and other software available on commercially reasonable terms.

We furthermore have registrations for most of our trademarks in most of the markets where we sell the corresponding products and services, as well as registrations of the designs of many of our Digipass devices, primarily in the European Union ("EU") and China.

Protecting IP rights can be difficult, particularly in countries that provide less protection to IP rights and in the absence of harmonized international IP standards. Competitors and others may already have IP rights covering similar products. We may not be able to secure IP rights covering our own products or may have difficulties obtaining IP licenses from other companies on commercially favorable terms. For a discussion of IP-related risks, see Item IA, Risk Factors.

Research and Development

Our research and development efforts are focused primarily on enhancing our solutions by building new features, functionality, and applications; developing technology to support new products; enhancing our transaction-cloud platform; and conducting product and quality assurance testing. We employ a team of full-time engineers and, from time to time, also engage independent engineering firms to conduct certain product development efforts on our behalf. For fiscal years ended December 31, 2025, 2024, and 2023, we incurred expenses, net of software capitalization, of $34.2 million, $32.4 million, and $38.4 million, respectively, for research and development.

Production

Our Digipass authentication devices are manufactured by third-party manufacturers at several independent factories in Southern China and one within the European Union, in Romania. We maintain local personnel in China to conduct quality control and quality assurance procedures. Periodic visits to the factories are conducted by our personnel for quality management, assembly process review, and supplier relations.

Digipass devices are made primarily from commercially available electronic components, including microprocessors purchased from several suppliers. We purchase microprocessors and arrange for shipment to our third-party manufacturers for assembly and testing in accordance with our design specifications. The microprocessors are the most important components of the devices which are not commodity items readily available on the open market.

5

In late 2021 and 2022, the supply chain for our Digipass devices was impacted by the effects of the COVID-19 pandemic, the Russia-Ukraine conflict and the inflationary cost environment, particularly with respect to materials in the semiconductor market, including part shortages, increased freight costs, diminished transportation capacity and labor constraints. This resulted in an increase in material costs, difficulties and delays in procuring certain microprocessors, and other disruptions in our supply chain. Although these supply chain issues stabilized during 2023 and continued to be relatively stable in 2025, global supply chains for semiconductors and electronic components remain vulnerable to disruption from range of risks, including natural disasters and extreme weather, geopolitical disputes, tariffs or trade disputes, regional or global conflicts, and scarcity of certain minerals and components.

In response to these supply chain conditions, we have focused on improving our supplier network, engineering alternative designs, and working to mitigate the impact of potential future supply shortages. We actively manage our inventory in an effort to minimize supply chain disruptions and enable continuity of supply and services to our customers, and we may maintain elevated levels of inventory for certain of our products to prepare for potential supply constraints. We also regularly evaluate alternative manufacturing and supply arrangements, including moving more of our manufacturing from China to Romania or other locations, to mitigate supply chain risks. Despite these efforts, we may experience additional supply chain disruptions or cost increases affecting our Digipass business in the future. Please see Item IA, Risk Factors, for additional information.

Our software solutions are produced in-house or developed by third parties and sold under license.

Competition

The market for digital solutions for security, authentication, identity, electronic signature, and digital workflow products is very competitive and, like most technology-driven markets, is subject to rapid change and constantly evolving solutions and services. Competition in our markets may intensify further as advances in AI enable rapid, low-cost development of software applications.

Our authentication products are designed to allow authorized users access to digital business processes and properties, in some cases using patented technology. Our authentication products are often used to supplement, or to enhance and modernize, existing authentication solutions, including static passwords. Our main competitors in the authentication market are Gemalto (a subsidiary of Thales Group), RSA Security and Yubico. There are also many other companies in adjacent areas, such as mobile device management ("MDM"), threat protection, and IAM, that offer competing services. In addition to these companies, we face competition from many small authentication solution providers, many of whom offer new technologies and niche solutions such as biometric or risk and behavioral analysis. We believe that competition in this market may intensify as a result of increasing demand for security products.

Our primary competitors for electronic signature solutions are Docusign and Adobe Systems. Both companies are significantly larger than us. In addition to these companies, there are numerous smaller and regional or niche providers of electronic signing solutions.

We believe that the principal competitive factors affecting the market for digital solutions for security, authentication, identity, electronic signature, and digital workflow products include the strength and effectiveness of the solution, technical features, ease of use, quality and reliability, customer service and support, brand recognition, customer base, distribution channels, and the total cost of ownership of the solution. With the exception of brand recognition, we believe that our products are currently competitive with respect to these factors; nevertheless, we may not be able to maintain our competitive position against current and potential competitors. Some of our present and potential competitors have significantly greater financial, technical, marketing, purchasing, and other resources. As a result, they may be able to respond more quickly to new or emerging technologies and changes in customer requirements, to devote greater resources to the development, promotion and sale of products, to establish and maintain greater brand recognition, or to deliver competitive products at a lower end-user price. Please see Item IA, Risk Factors, for additional information.

Sales and Marketing

Our solutions are sold globally through our direct sales force and through channel partners, including distributors, resellers, systems integrators, and original equipment manufacturers. Our sales organization coordinates sales activity across our direct and partner channels and engages directly with customers independently or alongside partner sales personnel. We also provide product education and enablement to sales and technical personnel of our channel partners and to prospective end users of our products.

6

Customers and Markets

The majority of our revenue is derived from financial institutions, which include traditional banks, credit unions, and online-only banks. We also sell to the enterprise market segment, government, healthcare, and insurance industries in select regions around the globe.

Our top 10 customers contributed 18%, 20%, and 22% in 2025, 2024, and 2023, respectively, of our total worldwide revenue.

Because a significant portion of our sales is denominated in foreign currencies, changes in exchange rates impact results of operations. To mitigate exposure to risks associated with fluctuations in currency exchange rates, we attempt to denominate an amount of billings in a currency such that it would provide a natural hedge against operating expenses being incurred in that currency. For additional information regarding how currency fluctuations can affect our business, please refer to Item 7, Management’s Discussion and Analysis of Financial Condition and Results of Operations.

Financial Information Relating to Foreign and Domestic Operations

For financial information regarding OneSpan, see our consolidated financial statements and the related notes, which are included in Part IV of this Annual Report on Form 10-K. See Note 18, Geographic, Customer and Supplier Information included in the notes to consolidated financial statements in Part IV of this Annual Report on Form 10-K for a breakdown of revenue, gross profit and long-lived assets between the U.S. and other regions.

Government Regulation

As a global cybersecurity and digital agreements company with operations and customers in multiple jurisdictions worldwide, we are subject to complex, evolving, and increasingly stringent global laws and regulations. Also, because banking and financial services is our largest industry target market, the regulations affecting our customers in this area, such as the European Union Digital Operations Resilience Act, have a significant indirect effect on our business. Similar regulatory dynamics occur in the other primary markets where we have customers, such as healthcare and government. In addition, since we have significant operations in Europe, we are subject to many European Union laws concerning privacy, data, cybersecurity, and sustainability, which have been and may continue to be costly to comply with. Additional proposed or newly enacted legislation or regulatory requirements could also materially affect our business. Please see Item IA, Risk Factors, for additional information.

Human Capital

OneSpan is powered by a team of 602 employees, consisting of 336 employees in the Americas, 231 employees in EMEA (which includes Europe, the Middle East, and Africa), and 35 employees in the Asia Pacific region as of December 31, 2025. 108 of those employees were in cost of goods sold, 167 in sales and marketing, 239 in research and development, and 88 in general and administrative.

We understand that achieving our business objectives will depend primarily on the skills, creativity, and determination of our people. To that end, we strive to create an environment that will attract, retain and develop talented people who are motivated to find opportunities and create new possibilities for our customers, for themselves and their teams, and for OneSpan. To achieve this goal, we focus on the areas described below.

Competitive Compensation and Benefits. We seek to provide our employees with competitive and fair compensation and benefit offerings, and use market benchmarks to ensure external competitiveness while maintaining equity within the organization. We tie incentive compensation to business performance and provide a range of health, wellness, family leave, savings, retirement, and time-off benefits for our employees, which vary based on local regulations and norms.

Engagement. We seek input from our employees regularly through a variety of channels, including informal interactions, regular one-to-one meetings between managers and employees, department meetings, quarterly virtual all-company meetings and employee engagement surveys. This input helps us assess our progress in promoting an environment where employees are engaged, productive, and have a strong sense of belonging. We also use employee feedback to identify areas where we can do better and expect our managers to actively work to improve those areas.

7

Hybrid Workplace Policy. For our employees who live near one of our offices, local office leadership designates the number of days per week employees generally come to the office in person, which ranges from two or three times per week in certain locations, to five days per week in others. For locations that are not five days per week in the office, for the rest of the week employees may work either remotely or from their local office. We believe this approach maintains the flexibility of remote work while also providing a regular opportunity for in-person interactions to collaborate, innovate, and build relationships with colleagues.

Workplace Environment and Access to Talent. With 602 employees around the world and customers in more than 120 countries, we believe that our business benefits from a workplace that includes employees with a range of perspectives, experience, backgrounds and cultures. We work with a variety of job sites and candidate application platforms to increase our access to a broad pool of potential employees. We also monitor the composition of our workforce by gender on an ongoing basis in order to make sure we are accessing and retaining a wide range of available talent. As of December 31, 2025, approximately 30% of our total employees and 30% of our employees at a manager level and above identified as female, and 69% and 70%, respectively, identified as male.

Training and Talent Development. We promote and support employee development, compliance and organizational effectiveness by providing professional development and compliance training. All of our employees take a required annual training on the following topics: our code of conduct and ethics; cybersecurity; and preventing harassment and discrimination. In addition, we make a variety of external professional development courses and tailored in-house trainings available to our employees.

Feedback, Coaching and Career Development. We believe regular feedback is an important component of employee development. Our managers provide ongoing feedback and performance coaching to their direct reports in regular one-to-one meetings, and are also encouraged to solicit their teams’ feedback on their own performance. We have also adopted a career ladder program tailored for our research and development employees. The goal of this program is to set out a structured and supportive career development framework that fosters continuous learning, skill development, and career advancement.

Employee Recognition. We recognize our employees for driving business results, exemplifying our company values, extraordinary efforts on specific projects, and long tenure with the company. We believe that these recognition programs help drive strong employee performance and promote a positive working environment.

Community Outreach. We encourage employee volunteerism in the communities where we live and work by providing each employee with one paid day off each year to participate in volunteer activities of their choice. In addition, our main office locations regularly participate in events such as food, pet supply and holiday children’s toy drives.

Monitoring Employee Turnover. We monitor voluntary turnover and total attrition, as a whole and by tenure, region, and by job family. Total attrition captures all reasons employees leave, including voluntary turnover and involuntary turnover due to job eliminations or performance reasons, whereas voluntary turnover is limited to elective departures by employees. Our voluntary turnover across our global employee base in 2025 was 5.8%, which we believe is low compared to global voluntary turnover rates in the technology industry. Our total attrition in 2025 was 9.3%.

Commitment to Well-Being and Human Rights, Near and Far. We maintain a variety of policies and procedures to promote positive workplace conduct and employee well-being within OneSpan, and human rights beyond, including a code of conduct and ethics, a compliance concern reporting hotline, anti-discrimination and equal opportunity policies, a stress and burnout awareness training program, human rights and anti-trafficking policies, and a supplier code of conduct.

Corporate Information

Our predecessor company, VASCO Corp., entered the data security business in 1991 through the acquisition of a controlling interest in ThumbScan, Inc., which we renamed VASCO Data Security, Inc. In 1997, VASCO Data Security International, Inc. was incorporated and in 1998, we completed a registered exchange offer with the holders of the outstanding securities of VASCO Corp., thereby becoming a publicly traded company. In May 2018, VASCO Data Security International, Inc., our publicly traded parent company, changed its name to OneSpan Inc.

8

Including our predecessor companies, we have completed 18 acquisitions and two dispositions since our inception, including the 2013 acquisition of Cronto Limited, a provider of secure visual transaction authentication solutions for online banking, and the 2015 acquisition of Silanis Technology Inc., a provider of e-signature and digital transaction solutions which we now market and sell under the OneSpan Sign name. More recently, we acquired Nok Nok Labs, a provider of passwordless software authentication, in June 2025, and in December 2025, we entered into a definitive agreement to acquire Build38, a provider of mobile application protection software. The proposed acquisition of Build38 is subject to customary closing conditions.

Our principal executive offices are located at 1 Marina Park Drive, Unit 1410, Boston, MA 02210.

“OneSpan” and other trademarks, trade names or service marks of OneSpan Inc. or its subsidiaries appearing in this Annual Report on Form 10-K are the property of OneSpan Inc. or its applicable subsidiary. This Annual Report on Form 10-K may contain additional trade names, trademarks and service marks of others, which are the property of their respective owners. Solely for convenience, trademarks and trade names referred to in this Annual Report on Form 10-K may appear without the ® or ™ symbols.

Available Information

We maintain an Internet website at www.onespan.com. The information on, or that can be accessed through, our website is not incorporated by reference into this Annual Report on Form 10-K and should not be considered to be a part of this Annual Report on Form 10-K. Our website address is included in this Annual Report on Form 10-K as inactive textual reference only. Our reports filed or furnished pursuant to Section 13(a) or 15(d) of the Securities Exchange Act of 1934, as amended (the "Exchange Act"), including our Annual Reports on Form 10-K, our Quarterly Reports on Form 10-Q and our Current Reports on Form 8-K, and amendments to those reports, are accessible through our website, free of charge, as soon as reasonably practicable after these reports are filed electronically with, or otherwise furnished to, the SEC. We also make available on our website the charters of our audit committee, compensation committee and nominating and corporate governance committee, as well as our corporate governance guidelines and our code of business conduct and ethics.

Information about our Executive Officers

The following sets forth certain information with regard to each of our executive officers. There are no family relationships between any of the executive officers, and there is no arrangement or understanding between any executive officer and any other person pursuant to which the executive officer was selected.

VICTOR LIMONGELLI — Mr. Limongelli was appointed as OneSpan’s Chief Executive Officer and President in July 2024 after joining the Company in January 2024 as its Interim Chief Executive Officer. Prior to joining OneSpan, Mr. Limongelli most recently served as Chief Executive Officer at BQE Software, Inc., a privately held SaaS company providing billing, accounting, and similar functionality to professional services firms, from September 2021 to April 2023. From April 2018 to August 2021, he served as Chief Executive Officer of MobileCause, Inc., a private equity-backed SaaS company focused on fundraising and donor engagement for nonprofits, and from November 2015 to April 2018, he was initially Chairman of the Board and then Chief Executive Officer of AccessData Group, a privately held security software company. From May 2003 through November 2014, Mr. Limongelli held a number of executive positions with Guidance Software, Inc., a publicly traded security software company, including over 9 years as President and 7 years as its Chief Executive Officer. He received an A.B. from Dartmouth College and a J.D. from Columbia University. Mr. Limongelli is 59 years old.

JORGE MARTELL — Mr. Martell has served as OneSpan’s Chief Financial Officer since September 2022 and as its principal accounting officer since December 2023. From July 2016 to September 2022, he served as Chief Financial Officer and Treasurer and from April 2015 to July 2016 as Vice President of Finance, Corporate Controller, at Extreme Reach Inc., a private-equity owned omnichannel creative logistics company for brand advertising, where he played an integral role in optimizing the company’s balance sheet and in executing the company’s growth strategy through global M&A, prior to its acquisition by another private equity firm. From September 2012 to March 2015, Mr. Martell was Treasurer and Assistant Corporate Controller at Sapient Corporation, a technology company, where he led its global revenue organization, execution of its M&A financial strategy, and global treasury organization prior to its acquisition by Publicis Groupe. Earlier in his career, he held leadership roles at ABM Industries, Inc., a provider of facilities management solutions, and at KPMG LLP, a public accounting firm. Mr. Martell received a B.S. from the Institute of Technology and Higher Studies of Monterrey, Mexico. Mr. Martell is 47 years old.

9

ASHISH JAIN— Mr. Jain joined OneSpan in December 2024 as its Chief Technology Officer. Prior to that, Mr. Jain was Chief Product Officer and Chief Technology Officer at Arkose Labs, an enterprise fraud management and account security company, from March 2021 to June 2024. At Arkose, he led the development of the company's bot mitigation platform to help address consumer fraud and identity challenges for large enterprises. From August 2018 to March 2021, he served as Head of Identity at eBay, a global commerce marketplace provider, where he led the global engineering team to build the identity, risk, and trust platform to support onboarding, authentication, KYC, fraud and abuse protection for eBay’s customers and third-party developers. From June 2011 through August 2018, Mr. Jain held product management roles at VMWare, a virtualization and cloud computing software provider, most recently as Vice President, Workspace One/Digital Workspace. Earlier in his career, he held various product management and engineering roles at a number of technology companies, including PayPal, Ping Identity, and BEA Systems. Mr. Jain received a Bachelor of Engineering degree from BITS, Pilani, India, and an MBA from the University of Denver’s Daniels College of Business. Mr. Jain is 53 years old.

LARA MATAAC — Ms. Mataac has served as OneSpan’s General Counsel, Chief Compliance Officer and Secretary since June 2022. From April 2021 to June 2022, Ms. Mataac was General Counsel at Constant Contact, Inc., a provider of cloud-based online marketing solutions, where she led the legal and compliance team during a period of transition after the company’s spinout from Endurance International Group (EIG) in February 2021. Before Constant Contact, Ms. Mataac was at EIG, a provider of cloud-based web presence and online marketing solutions, from February 2013 through March 2021, most recently as Deputy General Counsel. Before EIG, Ms. Mataac was corporate legal director at Bottomline Technologies, a software company. Earlier in her career, she practiced corporate law at the firms Wilmer Cutler Pickering Hale & Dorr LLP and Fenwick & West LLP. Ms. Mataac received a B.A. from Wellesley College and a J.D. from Stanford University. Ms. Mataac is 49 years old.