Cyber resilience is quickly becoming a board-level priority, and the UK Government’s Cyber Resilience Pledge is another clear signal of where expectations are heading. But what does it mean in practice?
Here’s a straightforward FAQ-style guide to help you understand the pledge, what’s required, and how to prepare.
Is the Cyber Resilience Pledge law?
No, the Cyber Resilience Pledge is not a legal requirement. It’s a voluntary, government-led initiative.
That said, it carries growing strategic importance:
- It’s backed by the Department for Science, Innovation and Technology (DSIT)
- It was announced at CyberUK by the Security Minister
- It signals an expected baseline for “serious” organisations over time
The purpose of the pledge is to encourage organisations to strengthen their cyber security posture. Many expect that it could follow a similar trajectory to the Cyber Essentials scheme, which began as a voluntary initiative before becoming a requirement for many public sector contracts and supply chains.
Who is the pledge aimed at?
The Cyber Resilience Pledge is aimed at businesses that sell into regulated or large organisations, like government, the NHS, financial services, energy, telecoms and FTSE 350 companies.
It also applies to medium and large IT providers, MSPs, and data centre operators, especially those supporting critical infrastructure, as they may face legal obligations as well as customer demands.
Smaller businesses without links to these sectors aren’t immediately affected, but expectations are rising across the board, so it’s still relevant to them over time.
What do we have to do if we sign?
Signing the Cyber Resilience Pledge means committing to three core actions.
1. Make cyber security a board-level responsibility
Within three months of signing, you must:
- Implement the Cyber Governance Code of Practice
- Ensure all board members complete NCSC Cyber Governance Training
This formalises cyber security as a board accountability issue, not just an operational concern.
2. Register for NCSC Early Warning
During month one, you must sign up to the NCSC Early Warning service. This free service provides proactive threat alerts and intelligence, helping organisations respond quickly to emerging risks.
3. Require Cyber Essentials across your supply chain
This is the most commercially significant element. You must:
- Register for the Cyber Essentials Supplier Check Tool (within 2 months)
- Audit your supply chain’s Cyber Essentials coverage
- Require suppliers to achieve Cyber Essentials certification
Crucially, this extends beyond your organisation, it pushes cyber security expectations down the supply chain.
Are there any additional commitments?
Yes, if you sign the Cyber Resilience Pledge, you must also:
- Promote the pledge within your supply chain
- Publish your signed pledge declaration publicly on your website
These requirements introduce transparency and accountability, helping to drive wider adoption.
What happens if we don’t sign?
Right now, nothing. There are no legal penalties, no fines and no enforcement. However, the commercial reality may shift quickly:
- Large organisations and government bodies may begin to expect signatories
- It could appear in tender requirements and due diligence checks
- Signatories will be publicly listed, creating visible differentiation
In short, there is no immediate risk, but there is a potential competitive disadvantage over time.
What should you do now?
Even if you’re not ready to sign the Cyber Resilience Pledge, it’s worth preparing. We recommend that you start by:
- Obtain your Cyber Essentials certification. This is the most impactful step you can take, as it forms the foundation of the Pledge approach across supply chains and is widely accepted within UK procurement frameworks.
- Enrol in the NCSC Early Warning Service. The service is free to join and only takes a few minutes to register.
- Hold a Board-level discussion on cyber security risk. Use the Cyber Governance Code of Practice as a guide to shape the conversation, covering key areas such as risk management, strategic direction, workforce considerations, incident response planning, and assurance.
Our final thoughts
The Cyber Resilience Pledge may be voluntary, but it’s far from optional in a strategic sense. It represents a clear shift towards:
- Board-level accountability
- Supply chain security enforcement
- Greater transparency in cyber maturity
Organisations that act early won’t just reduce risk, they’ll be better positioned to compete, comply, and lead as expectations evolve.
If your organisation is serious about strengthening your cyber resilience, get in touch with our team to discuss.
