On 22 April 2026, at the NCSC's CYBERUK conference, the UK Government announced the Cyber Resilience Pledge, a voluntary commitment scheme aimed initially at the FTSE 350 and other major UK employers. It will be formally launched in the summer, with the first signatories named publicly. If you run a business that sells into large UK enterprise, the public sector or any regulated industry, this matters to you even if your name is nowhere near the FTSE list.
Here's what you need to know, and what we recommend you do about it.
What the Pledge asks
When you sign the pledge, you’re committing to three actions, on a fixed time schedule:
- Month one – Within one month of pledging you must sign up for the NCSC's free Early Warning service, the national feed of incident, vulnerability and network-abuse alerts.
- Month two – Within two months you’re required to register to the Cyber Essentials Supplier Check Tool and ensure your supply chain adheres to Cyber Essentials. Where a supplier isn't required to hold Cyber Essentials, the Board must justify why.
- Month three - By the three-month mark, cyber security should be made a Board responsibility. You must adopt the Government's Cyber Governance Code of Practice and put every Board member through NCSC cyber governance training.
It’s also advised to publish your commitment on your website and provide an annual public update on progress.
Why should you sign the pledge if it’s only voluntary?
At first glance, the Cyber Resilience Pledge is easy to ignore. It’s not law, there are no fines for non compliance, and no regulator can force an organisation to sign. So why should boards pay it any attention? The reason is because the Pledge does not stand alone and treating it as a purely voluntary exercise misses the wider point.
The Pledge sits alongside the Cyber Security and Resilience (Network and Information Systems) Bill, which significantly strengthens the UK’s cyber regulatory framework. The Bill, which is still being finalised, expands the scope of the existing NIS Regulations to cover organisations that have previously sat outside formal cyber obligations, including medium and large managed service providers, data centres, large load controllers, and designated critical suppliers whose disruption could have national impact.
It also introduces mandatory, time bound incident reporting, requiring notification within 24 hours of a significant incident and a follow up report within 72 hours. This mirrors the EU’s NIS2 regime and signals a clear direction of travel: faster oversight, earlier intervention, and stronger enforcement.
In that context, the Cyber Resilience Pledge isn’t really about voluntarism, it’s about pre alignment.
Signing the Pledge allows organisations to demonstrate early alignment with expectations the government has already said represent the minimum standard. It provides evidence of intent, governance attention, and preparedness before alignment becomes enforceable and subject to regulatory scrutiny.
As the Security Minister said at CYBERUK 2026, “basic cyber hygiene is no longer optional, but the baseline — the absolute minimum we should expect of any serious organisation operating in the modern economy.”
The real question for boards, is not whether the Pledge is mandatory today but how their decisions will be judged when it no longer is.
Two things are happening in parallel
- For organisations in regulated and critical-infrastructure sectors - Energy, finance, health, water, transport, digital infrastructure, large MSPs, statutory cyber obligations are being tightened through the Bill.
- For everyone else - Particularly the large enterprise mainstream, the same standards are being pushed through procurement via the Pledge's supply-chain audit requirement.
It’s reasonable to expect statutory cyber duties to extend further over time, but in our opinion, they will continue to be sector-specific first and the Government is far more likely to tighten existing regulators' powers in regulated industries.
Smaller organisations without critical infrastructure exposure or a large enterprise client base are not a primary target today and are unlikely to be one tomorrow. However, and this is the crucial point, most organisations still have at least one client who does fall within scope.
What it means for your business
A practical translation:
- If you sell into the FTSE 350, central or local government, the NHS, financial services, energy, telecoms or any other regulated sector you must assume Cyber Essentials will become a contractual requirement within the next 12 to 18 months. The Pledge gives your largest clients the tooling and the Board mandate to ask for it.
- If you’re a medium or large MSP, a data centre operator, or you provide IT services into critical infrastructure you should read the Cyber Security and Resilience Bill carefully. You may be directly in scope of statutory obligations, not just procurement pressure.
- If you are a small business with mostly small or mid-market UK clients and no regulated sector exposure, you are not in immediate scope of either the Pledge or the Bill. But the cyber baseline is rising across the whole economy, the cost of a significant cyber attack to a UK business is estimated by the Government at almost £195,000, and the gap between "what's required" and "what's expected" is closing fast.
Our recommendation in all three cases is the same: start adopting the Pledge's requirements voluntarily, now, on your own timetable. Doing it pre-emptively is materially cheaper, calmer and more defensible than doing it under a contract deadline from a major client, or eventually, under a statutory deadline from a regulator.
A sensible starting point
You do not need to sign the Pledge to benefit from the standards behind it. Three steps any organisation can take this quarter:
- Get Cyber Essentials certified. This is the single highest leverage action, and it is the standard the Pledge propagates through supply chains, and it is recognised across UK procurement.
- Register for the NCSC’s Early Warning Service, it’s free and takes minutes.
- Have a Board-level conversation about cyber risk using the Cyber Governance Code of Practice as a template, risk management, strategy, people, incident planning, and assurance.
How we can help
If you have any questions about strengthening your cyber resilience or implementing anything discussed in this blog, such as help with supply chain assessments or getting Cyber Essentials certified, please get in touch with our friendly and expert team.
