Government launches the Cyber Resilience Pledge

The Government has just launched the Cyber Resilience Pledge, which has already been signed by over 70 leading UK companies and organisations, including M&S, Mitie Group, Vodafone, Sage, and EY.

The pledge is voluntary and has been actively developed in response to an increasingly hostile level of cyber threats targeting UK organisations, causing significant financial and social harm to UK businesses and citizens.

Signatories commit to 3 specific requests and activities:

1️⃣ Make cyber a board-level responsibility

a) implementing all actions in the Cyber Governance Code of Practice, and

b) ensuring all board members undertake the NCSC’s Cyber Governance Training within 3 months, and then annually.

2️⃣ Sign up to Early Warning (the NCSC’s early warning service)

a) Register for the Early Warning service within one month of signing the pledge

3️⃣ Require Cyber Essentials across supply chains

a) Register to the Cyber Essentials Supplier Check tool within 2 months of signing the pledge

b) Ensure that a comprehensive audit of Cyber Essentials coverage has been conducted across their supply chain, with results presented and discussed by the Board.

c) Take a risk-based approach to requiring Cyber Essentials across the organisation’s supply chain, and encourage these actions within their own supply chains, alongside publishing the pledge declaration on their website.

What does this mean for small and medium organisations?

For many small and medium organisations, this is not a mandate to sign the pledge from the government. The Cyber Governance Code of Practice and Cyber Governance Training were developed primarily for medium and large organisations, but they can still provide useful guidance for leaders in smaller organisations, particularly where they play a critical role in wider digital supply chains.

The main implications of the pledge are going to be how it affects supply chains. Larger organisations signing the pledge are committing to improving cyber assurance across their supply chains.

In practice, this is likely to create a cascading effect through supply chains over the next 12 to 24 months, particularly for SMEs that handle sensitive data, have access to customer systems, or play a critical role in service delivery.

What to expect over the next 12-24 months

  1. Cyber Essentials will (finally) become a commercial baseline, meaning that not having Cyber Essentials may increasingly mean:
    • Delays in onboarding
    • Exclusion from tenders
    • Additional due diligence questionnaires and additional questions raised
  2. Supplier due diligence will become more structured; we can expect more formal requests for supply chain assurance such as:
    • Requests for policies and controls
    • Evidence of certifications or audits
  3. The flow-down of requirements will accelerate; if one of your clients signs the pledge, they will need to demonstrate progress within months. This urgency is often passed directly to suppliers, creating short timelines for compliance
  4. Risk-based pressure, not blanket requirements – organisations will prioritise suppliers who have a higher risk. if you sit in one of these categories, the expectations for assurance will be higher:
    • Handle sensitive data
    • Have system access
    • Are critical to their operations.

Practical steps for small and medium organisations

  • Get Cyber Essentials (if you haven’t already)
    This gives you a recognised, credible baseline and reduces friction in sales and procurement.
  • Map your own supply chain risk
    You may face the same expectations from your customers and need to flow them down further.  Understanding this now avoids being caught between client demands and supplier gaps.
  • Prepare a simple “security pack”
    Have key information ready, such as:
    • Your Cyber Essentials status
    • Key policies, such as information security, data protection etc. 
    • Contact details for security and data protection queries
    • Evidence of completed checks or tests of incident response plans and business continuity plans.
  • Align security with commercial outcomes
    This is not just about risk reduction.  It is about:
    • Protecting revenue
    • Maintaining your supplier status
    • Enabling growth with larger clients

A practical takeaway

For small and medium-sized organisations, the Cyber Resilience Pledge may not be a direct obligation, but it is likely to influence customer expectations across supply chains. Over the next 12 to 24 months, many businesses will find that Cyber Essentials, basic security documentation, and proportionate supplier assurance become part of normal procurement and supplier reviews.

Those that prepare early will be better placed to respond quickly, reduce friction in sales, and protect valuable customer relationships.

If you are unsure whether your business could evidence the right level of cyber assurance today, now is a good time to review your position.

A short, practical gap assessment can help you identify what customers are likely to ask for, where the gaps are, and what to prioritise first.

Useful links and further information

Full list of signatories: https://www.gov.uk/government/publications/cyber-resilience-pledge-list-of-signatories/cyber-resilience-pledge-signatories

Cyber Governance Code of Practice: https://www.ncsc.gov.uk/cyber-governance-for-boards/code-of-practice

NCSC Cyber Governance Training: https://www.ncsc.gov.uk/cyber-governance-for-boards/training

IASME Cyber Essentials Certificate Search: https://iasme.co.uk/cyber-essentials/ncsc-certificate-search/

Cyber Essentials Supplier Check tool (for larger organisations: https://supplier.iasme.co.uk/

NCSC Early Warning: https://www.ncsc.gov.uk/section/active-cyber-defence/early-warning

CATEGORIES:

Updates

Tags:

Comments are closed