"Whilst the investment is 'nice on paper and helpful for SMEs' it is 'nowhere near enough' to address the scale of the problem," James Neilson, SVP of International at OPSWAT, told Infosecurity on April 22.
Dan Jarvis at CYBERUK: a £90m push for cyber resilience
At the National Cyber Security Centre’s annual CYBERUK conference on April 22, Dan Jarvis, the UK’s Minister for Security, unveiled a £90m ($120m) government injection intended to strengthen the nation’s cyber resilience. Jarvis said the funding would help provide support to small and medium sized businesses and that the government aims to help organisations implement the Cyber Essentials standard.
The Cyber Resilience Pledge and the three required actions
Jarvis also called for every major organisation to sign a new Cyber Resilience Pledge, which the government plans to launch in the summer. According to the announcement, businesses will be able to become signatories if they take three concrete actions:
- Make cyber security a board-level responsibility
- Sign up to the National Cyber Security Centre’s free Early Warning service
- Require Cyber Essentials certification across their supply chains
Cyber Essentials: milestones and remaining uptake questions
The government emphasised Cyber Essentials as a central tool in its approach. The source notes that, last summer, quarterly certifications surpassed the 10,000 milestone for the first time. Nevertheless, the announcement acknowledged that overall take-up of the certification scheme "has not always been perceived as enough," a shortfall the pledge and new funding aim to address.
Industry responses from OPSWAT, Illumio and TrendAI
Reaction from the private sector, as captured at CYBERUK, was immediate and measured. James Neilson of OPSWAT welcomed the cash as "helpful for SMEs" but argued the amount is insufficient given the scale of need and emphasised that many small firms lack not only funding but security expertise. He urged the government to "heavily invest in support and guidance."
Trevor Dearing, director of critical infrastructure at Illumio, framed the gap more practically: "What many small businesses lack is practical guidance on how to protect sensitive data and keep critical services running when incidents occur." His comment highlights an emphasis on operational readiness rather than funding levels alone.
Jonathan Lee, Director of Cyber Strategy at TrendAI, told Infosecurity the government and the NCSC are "saying the right things," but he pressed for movement beyond encouragement and guidance toward active incentives. Lee specifically suggested exploring tax credits and said, "Let’s incentivize people to invest more in their resilience because ultimately, we’re told it’s a team sport and everyone needs to work together."
What this means for SMEs, major organisations, and policymakers
- SMEs: The announced £90m is explicitly intended to support small and medium sized businesses, but industry voices cited in the source say that practical guidance and skills development are as critical as funding.
- Major organisations: Businesses large enough to be asked to sign the Cyber Resilience Pledge will face a clear set of conditions—board-level ownership of cyber security, use of the NCSC Early Warning service, and requiring Cyber Essentials across supply chains—which could shift corporate governance and procurement practices.
- Policymakers: The government is coupling cash with behaviour-change tools (the pledge and promotion of Cyber Essentials). Industry responses in the source suggest policymakers may need to consider complementary measures—such as stronger guidance, direct support programs, or fiscal incentives—to increase adoption and operational impact.
The government has also highlighted existing fiscal support: UK businesses developing innovative technology solutions, including in cybersecurity, can claim Research and Development tax relief to reduce Corporation Tax or receive cash payments—a lever industry figures in the source suggested could be used more intentionally to incentivise resilience investment.
For now, the timetable is clear on two points in the source: the £90m package was announced at CYBERUK on April 22, and the Cyber Resilience Pledge is due to be launched in the summer. How far that combined approach—limited direct funding, a public pledge with three requirements, and the existing R&D tax-relief regime—will move uptake of Cyber Essentials and operational resilience remains a point of contention among the named industry representatives quoted at the conference.
