“As AI reshapes both the threats we face and our response to them, stronger board-level accountability and supply chain security are how the UK stays ahead,” said Microsoft UK CEO, Darren Hardman.
The Cyber Resilience Pledge: three commitments
The UK government has launched a voluntary Cyber Resilience Pledge that asks signatories to make three concrete commitments. Organisations that join must: implement the Cyber Governance Code of Practice and ensure all board members complete the NCSC’s Cyber Governance Training so that cybersecurity becomes a board‑level responsibility; register for the NCSC’s free Early Warning alert service; and take a “risk‑based approach” to requiring Cyber Essentials certification across their supply chain.
The pledge is described as mainly for medium and large organisations, with the expectation that those organisations can lift baseline security across the wider economy by pushing suppliers to adopt Cyber Essentials.
Who the government says has signed — major private sector names
The government claimed the initiative already has “over 60” business signatories. Named companies on the list include Marks & Spencer, Nationwide, ITV, Microsoft UK, Cloudflare, Deloitte LLP, Accenture UK and Vodafone Group. The government also announced a Cyber Charter with its 39 strategic suppliers, inviting them to sign the pledge; the government said 20 of those strategic suppliers have signed so far.
Cyber Essentials: a narrow existing footprint
The pledge relies in part on forcing greater adoption of Cyber Essentials through procurement. That goal faces a scale challenge: data released last year showed roughly 35,000 organisations had signed up to Cyber Essentials out of more than five million businesses in the country. The government has previously reminded firms that businesses with turnover under £20m that are Cyber Essentials certified are entitled to free cyber‑liability insurance, including professional incident response support.
Other government measures: money, legislation and codes
The pledge was first trailed at the government’s CYBERUK conference in Glasgow in April, alongside a £90m ($120m) cash injection. It sits alongside a broader set of measures the government is pressing ahead with to improve corporate cyber resilience: a Cyber Security and Resilience Bill that will introduce new requirements for certain critical national infrastructure providers; a Cyber Action Plan aimed at enhancing resilience and accountability across central government; and the Cyber Governance Code of Practice as a voluntary tool to help boards treat cyber risk like other core business risks.
What this means for technologists, policymakers and medium and large businesses
- Technologists and security teams: the pledge ties board engagement, use of the NCSC Early Warning service, and supply‑chain certification expectations to corporate commitments — measures that security teams will likely be asked to operationalise if their organisations sign up.
- Policymakers and regulators: the pledge supplements planned statutory measures in the Cyber Security and Resilience Bill and the Cyber Action Plan by offering a voluntary avenue to raise baseline practice among larger organisations and their suppliers.
- Medium and large businesses (and their suppliers): the pledge is aimed at these organisations as primary signatories; its practical impact will depend on whether signatories require and enforce Cyber Essentials across their supply chains and whether suppliers scale their own certification in response.
Technology secretary Liz Kendall framed the pledge as a shift in mindset, saying: “The steps in this pledge are practical, achievable and proven to make a difference. Today’s signatories are leading the way, and I encourage organizations across the UK to follow their example.”
The pledge bundles board‑level governance, a government alerting service and supply‑chain certification into a single voluntary commitment backed by a government outreach effort and new public funding. Its success will hinge on how many signatories press suppliers to adopt Cyber Essentials and on whether that pressure closes the gap between the roughly 35,000 organisations currently certified and the millions of small businesses across the country.




