Article Overview
The UK Cyber Resilience Pledge is a voluntary government-backed initiative that helps organisations improve cyber security through stronger leadership, earlier threat detection and better supplier risk management. Rather than focusing solely on technical controls, it encourages businesses to treat cyber security as a business risk that requires board-level ownership and ongoing oversight.
For a typical SMB, signing the pledge could help deliver practical benefits such as:
- Greater customer trust by demonstrating a visible commitment to cyber security.
- Stronger positioning in tenders and supplier assessments where cyber security is increasingly scrutinised. (Author insight based on the pledge's public commitment model.)
- Earlier awareness of threats through the NCSC Early Warning service, helping businesses identify and respond to potential issues more quickly.
- Reduced supply-chain risk by encouraging organisations to assess the cyber security of key suppliers and partners.
- Improved accountability by ensuring cyber security is discussed and managed at a leadership level, rather than being treated solely as an IT issue.
- Better preparation for frameworks and compliance requirements such as Cyber Essentials, Cyber Essentials Plus and wider governance initiatives.
- Greater organisational resilience, helping your business respond to and recover from incidents more effectively when they occur.
The pledge will not prevent every cyber attack, but it can provide a practical roadmap for improving security maturity, reducing risk and building confidence with customers, partners and stakeholders.
Ready to Assess Your Cyber Readiness?
Whether you're considering the Cyber Resilience Pledge, Cyber Essentials certification, or simply want to understand where your organisation's cyber risks lie, PS Tech can help.
Speak to our team for an independent review of your current cyber security posture and practical guidance on the steps needed to strengthen your resilience.
What is the UK Cyber Resilience Pledge, and should your organisation take it?
The UK Government has launched a voluntary Cyber Resilience Pledge to encourage organisations to take practical, visible steps towards improving their cyber security.
Although the pledge has been designed mainly with medium and large organisations in mind, businesses, charities and other organisations of any size and in any sector can sign up.
The commitments cover three areas that regularly determine how well an organisation handles cyber risk: board-level responsibility, early awareness of threats and security across the supply chain.
For organisations already taking cyber security seriously, the pledge offers a useful structure for reviewing what is in place. For others, it may expose gaps that have been left unresolved because cyber risk has largely been treated as an IT department issue.
What is the Cyber Resilience Pledge?
The Cyber Resilience Pledge was announced by the government on 22 April 2026 and formally launched on 7 July 2026.
It is voluntary rather than a new regulation. Organisations that sign it make a public commitment to complete a defined set of actions and provide an annual update on their progress.
The pledge is built around three main commitments:
- Make cyber security a board responsibility
- Register for the National Cyber Security Centre’s Early Warning service
- Review and strengthen the use of Cyber Essentials across the supply chain
These may sound relatively straightforward. In practice, they require cooperation between senior leaders, IT teams, procurement, risk management and suppliers.
That wider involvement is important. A technical security control can reduce a specific risk, but cyber resilience also depends on who owns decisions, how quickly warnings reach the right people and whether weaknesses elsewhere in the supply chain are understood.
1. Make cyber security a board-level responsibility
Organisations taking the pledge commit to implementing the government’s Cyber Governance Code of Practice.
Board members must also complete the National Cyber Security Centre’s Cyber Governance Training within three months of signing and repeat the training annually.
This places cyber risk alongside other areas of organisational governance. Senior leaders are expected to understand the potential operational, financial and reputational effects of a cyber incident, rather than delegating the subject entirely to an IT manager or external provider.
Board-level responsibility should involve more than receiving an occasional technical report. Leaders need useful information that supports decisions.
That may include:
- The organisation’s most important systems and data
- Current vulnerabilities and areas of unmanaged risk
- Progress against an agreed cyber security plan
- Significant incidents and near misses
- Supplier and third-party risks
- Business continuity and recovery readiness
- Staff training and security awareness
- The resources needed to address known weaknesses
The detail will vary between organisations, but the objective is consistent: cyber risk should be understood and managed as a business risk.
This does not mean directors need to become technical specialists. They do, however, need enough understanding to ask sensible questions, challenge assumptions and make informed decisions about priorities and investment.
2. Register for the NCSC Early Warning service
Organisations must register for the National Cyber Security Centre’s Early Warning service within one month of signing the pledge.
Early Warning is a free service designed to notify organisations about potential cyber threats affecting their networks. It uses information available to the NCSC to generate alerts about certain types of suspicious or malicious activity.
Receiving an alert does not automatically solve the underlying problem. Someone still needs to assess it, decide whether action is required and make sure that action is completed.
Before signing the pledge, it is therefore worth deciding:
- Who will receive the alerts?
- Who will investigate them?
- How quickly should they be reviewed?
- How will urgent issues be escalated?
- How will actions and outcomes be recorded?
An alert sent to an unattended inbox provides little protection. The value comes from having an agreed process for turning threat information into timely action.
Organisations using an outsourced IT or cyber security provider should also clarify how Early Warning notifications will fit into their existing support and incident-management arrangements.
3. Review Cyber Essentials across the supply chain
The supply-chain commitment is likely to require the most preparation for many organisations.
Within two months of signing the pledge, an organisation must register for the Cyber Essentials Supplier Check Tool. It must also carry out a comprehensive review of Cyber Essentials coverage across its supply chain and present the findings to the board.
Signatories are expected to take a risk-based approach to requiring Cyber Essentials from suppliers. This could mean making certification mandatory for every supplier, but the pledge does not automatically demand that.
Where Cyber Essentials is not required, the board should be satisfied that the decision fits the organisation’s risk appetite and that suitable assurance is being obtained in another way.
This recognises that suppliers do not all create the same level of risk.
A contractor with no access to systems, networks or sensitive information is unlikely to need the same scrutiny as a supplier that manages cloud services, processes personal data or connects directly to the organisation’s IT environment.
A practical supplier review should consider questions such as:
- What data can the supplier access?
- Can it connect to internal systems?
- Does it provide a service that operations depend upon?
- Could an incident at the supplier disrupt the organisation?
- Does it subcontract any part of the service?
- What security evidence can it provide?
- Does it hold a current Cyber Essentials or Cyber Essentials Plus certificate?
The pledge could lead to more organisations asking these questions during procurement and contract reviews. Suppliers that cannot explain their security arrangements may find it increasingly difficult to reassure larger customers.
Cyber Essentials and the pledge are not the same thing
It is important to distinguish between taking the Cyber Resilience Pledge and achieving Cyber Essentials certification.
The pledge is a voluntary public commitment covering governance, threat information and supply-chain security.
Cyber Essentials is a government-backed certification scheme focused on five core technical controls:
- Firewalls
- Secure configuration
- User access control
- Malware protection
- Security update management
Cyber Essentials is based on a verified self-assessment. Cyber Essentials Plus covers the same requirements but includes independent technical testing.
An organisation can take the pledge without Cyber Essentials being a complete answer to every cyber risk. Equally, holding Cyber Essentials does not automatically mean all the pledge commitments have been met.
The two complement each other. Cyber Essentials provides a recognised technical baseline, while the pledge asks organisations to consider how cyber security is governed and how risk is managed beyond their own systems.
What else must signatories do?
Organisations taking the pledge also agree to publish the signed declaration on their website within two months.
They must then provide an annual public update, either on their website or in their annual report, describing the steps taken to deliver against the commitments.
Signatories are also expected to encourage similar action within their own supply chains.
This public element gives the pledge more weight than an internal statement of intent. Customers, employees, partners and suppliers may be able to see what the organisation has committed to and, over time, what progress it reports.
The government’s FAQs make clear that there is no formal assurance process because the pledge is voluntary. However, registration for services such as Early Warning and the Supplier Check Tool can be reviewed. An organisation that does not complete the actions may withdraw or, in some circumstances, be removed from the pledge.
Does taking the pledge prevent cyber attacks?
No security framework can guarantee that an organisation will never experience an attack.
The government is clear that the pledge does not provide complete protection. Its actions are intended to improve resilience, but organisations still need security measures appropriate to their systems, data, people and risk profile.
That could include secure configuration, multi-factor authentication, managed security controls, patch management, tested backups, staff awareness training, incident response planning and business continuity arrangements.
The pledge should therefore be viewed as a foundation and a governance framework, rather than a complete cyber security programme.
Should smaller organisations consider signing?
The pledge is primarily aimed at medium and large organisations, but smaller businesses are eligible to participate.
Whether signing is the right step will depend on the organisation’s resources, customer expectations and current security maturity.
Smaller organisations may find it helpful to use the commitments as a readiness checklist before making a public declaration. For example:
- Is cyber risk already discussed by senior leaders?
- Are responsibilities clearly documented?
- Is the organisation ready to act on NCSC alerts?
- Is there an accurate list of suppliers?
- Can higher-risk suppliers be identified?
- Is there a process for checking Cyber Essentials certification?
- Are the organisation’s own core security controls in good order?
Working through these questions can be worthwhile even where the organisation decides not to sign immediately.
Preparing before you sign
The pledge contains specific commitments and deadlines, so signing should follow a realistic review of the work involved.
A sensible preparation process would include:
Review current governance
Confirm who owns cyber risk, how it is reported and whether the board receives information it can use to make decisions.
Compare existing arrangements with the Cyber Governance Code of Practice
Identify which actions are already covered and where additional policies, reporting or oversight may be needed.
Plan the board training
Make sure every board member can complete the NCSC training within three months and that annual refresher training is recorded.
Prepare for Early Warning
Identify the appropriate domains and IP addresses, nominate responsible contacts and create a process for reviewing and escalating notifications.
Map the supply chain
Build an accurate supplier list and identify which suppliers have access to important data, systems or services.
Check Cyber Essentials coverage
Use the Supplier Check Tool and gather other appropriate evidence where certification is unavailable or is not being required.
Address your own security gaps
Supplier scrutiny is more credible when the organisation has also assessed and strengthened its own technical controls.
Agree how progress will be published
Plan where the signed declaration and future annual updates will appear, who will approve them and what evidence will support the reported progress.
A useful framework, provided the commitment is genuine
The Cyber Resilience Pledge brings several familiar recommendations into one visible commitment.
Its value comes from the connection between them. Board oversight creates accountability. Early Warning improves access to threat information. Supply-chain reviews address risks that sit outside the organisation’s direct control.
Signing without the systems, ownership or resources to follow through would turn the pledge into a communications exercise. Used properly, it can provide a clear programme of work and help senior leaders understand where cyber resilience depends on more than technology alone.
PS Tech helps organisations review their cyber security, strengthen core controls and prepare for Cyber Essentials and Cyber Essentials Plus certification. We can also help you understand the practical IT work that may be needed before making the Cyber Resilience Pledge.
