The Cyber Resilience Pledge
On 7 July 2026, more than 60 UK businesses, including M&S, Nationwide, ITV, Microsoft UK, Cloudflare, Deloitte, Accenture UK, Vodafone and VodafoneThree, signed up to the government's new Cyber Resilience Pledge at a launch event hosted by Technology Secretary Liz Kendall at 10 Downing Street. It's a voluntary commitment, but it signals something firms of every size should pay attention to: cyber resilience is being formally repositioned as a boardroom responsibility, not an IT problem.
The Pledge is being positioned as a central pillar of the government's forthcoming National Cyber Action Plan, and it lands at a moment when the scale of the threat facing UK businesses is becoming harder to ignore.
Why now
The numbers behind the launch make the urgency clear. The NCSC recorded 204 nationally significant cyber incidents in the year to September 2025, more than double the 89 recorded the year before.
Over 5 million cyber crimes were committed against UK businesses last year, roughly one every six seconds, according to the NCSC's Annual Review 2025.
The average cost of a significant cyber-attack on an individual UK business now sits at almost £195,000, with the total annual cost to the economy estimated at £14.7 billion, excluding the wider disruption that ripples out across supply chains and customers.
Government and industry figures were candid about what's accelerating the threat: AI. The same capabilities strengthening defenders are also lowering the barrier to entry for attackers, helping them find vulnerabilities in software, write exploit code, and do it at a speed and scale that would have been unthinkable even a year ago.
As Technology Secretary Liz Kendall put it at the launch: "Cyber attacks can disrupt services, put customers' data at risk and have a real impact on the bottom line. As AI makes these threats more sophisticated and easier to launch, no organisation can afford to stand still."
Who's signed, and why it matters that they have
Founding signatories span retail, financial services, media, utilities and technology, and include some of the most recognisable names in British business alongside strategic government suppliers. The breadth of that list is arguably the story here. This isn't a niche security-industry initiative; it's mainstream boards publicly committing to specific, auditable actions.
Nationwide's David Boda, Chief Security and Resilience Officer, framed it as a shared responsibility: "Uplifting the cyber resilience of the UK economy is a collective endeavour that no one organisation or sector can achieve alone." Microsoft UK and Ireland CEO Darren Hardman tied the commitment directly to the AI-driven shift in the threat landscape: "As AI reshapes both the threats we face and our response to them, stronger board-level accountability and supply chain security are how the UK stays ahead."
The message from industry bodies was similar. techUK CEO Julian David argued that cyber risk has outgrown its old category entirely: "With the average cost of significant cyber-attacks to the UK economy recently estimated to be £14.7 billion annually, the equivalent of 0.5% of our GDP it's clear that cyber security and resilience must be recognised as a leadership responsibility and should no longer be viewed as an IT issue alone."
And it isn't only the largest firms making the case. Simon King, CEO of Autotech Group, pointed to trust as the underlying commercial driver: "Trust is built on how well we protect the information, systems and people our customers rely on every day...
As an early signatory of the UK's Cyber Resilience Pledge, we are reinforcing our commitment to continual improvement and ensuring cyber resilience remains a board-level responsibility as both our business and the automotive sector become increasingly connected."
What signatories are actually committing to
The Pledge asks organisations to take three concrete, practical steps, each designed to be achievable without significant new investment:
1. Make cyber security a board-level responsibility. This means implementing the Cyber Governance Code of Practice and ensuring every board member, not just the CISO or IT director, completes the NCSC's Cyber Governance Training. The intent is to close the gap between boards that "own" cyber risk on paper and boards that actually understand what they're accountable for.
2. Register for the NCSC's Early Warning service. This is a free tool that alerts organisations to potentially suspicious activity detected on their networks, effectively giving smaller security teams access to threat intelligence that would otherwise require significant investment to replicate in-house.
3. Take a risk-based approach to requiring Cyber Essentials certification across the supply chain. Rather than mandating a blanket standard everywhere, this asks organisations to apply supply-chain security requirements proportionately, focusing scrutiny on suppliers that pose the greatest risk.
None of these three actions is groundbreaking in isolation. Cyber Essentials, board training and threat monitoring have all existed for years, and none require new technology spend. What's notable is the scale of coordinated adoption and the explicit framing: this is now a leadership responsibility, and boards are expected to demonstrate ownership rather than delegate it entirely downward to IT.
The supply chain angle: the Cyber Charter
Alongside the Pledge, the Department for Science, Innovation and Technology (DSIT) has been developing a government Cyber Charter with its 39 strategic suppliers, the companies that deliver critical services to government. As part of that Charter, all 39 have been invited to sign the Pledge as an initial commitment, and more than 20 have already done so in this first cohort.
This matters beyond the public sector. It signals that cyber resilience expectations are starting to flow through commercial relationships as a condition of doing business, not just as good practice. Any organisation that sits in a supply chain feeding into government, financial services, or another regulated signatory should expect similar expectations to eventually apply to them too, whether through formal certification requirements or informal procurement due diligence.
The wider policy backdrop
The Pledge doesn't sit in isolation. It's launching ahead of the government's new National Cyber Action Plan, which is expected to set out how the UK will invest in AI-powered defensive capabilities, encourage adoption of more secure technologies, and introduce new measures under the National Security Bill to tackle cyber crime. It also complements the Cyber Security and Resilience Bill currently working through Parliament, and builds on existing free resources such as the NCSC's Cyber Action Toolkit and the Cyber Essentials scheme.
Taken together, these points to a policy direction rather than a one-off announcement: government is steadily raising the baseline expectation for cyber governance across the economy, using a mix of voluntary pledges now and legislation to follow.
What this means in practice
For organisations watching from the sidelines, the Pledge is a preview of where regulatory and commercial expectations are heading. It's voluntary today, but procurement teams, insurers, investors and customers are increasingly likely to start asking whether an organisation has board-level cyber governance in place, whether it monitors for early warning signs of compromise, and whether it holds its suppliers to a minimum security bar.
For businesses that haven't yet formalised any of this, the three actions in the Pledge are a sensible, low-cost starting point regardless of whether you formally sign up:
Get board members trained on cyber governance so oversight isn't purely delegated. Register for the NCSC's free Early Warning service, since there's no cost barrier to doing so. And start asking key suppliers whether they hold, or are working towards, Cyber Essentials certification.
Pledging organisations will also be expected to publish their signed pledge letter and provide an annual update on progress, which means this isn't a one-off PR moment for signatories. It creates an ongoing, public accountability mechanism that others will be able to measure against.
The bottom line
Cyber resilience is moving from a technical checkbox to a standing board agenda item, backed by a growing body of legislation, government initiatives and now a public pledge signed by many of Britain's most recognisable businesses. Organisations that treat cyber governance as a leadership responsibility now rather than waiting for it to become mandatory, will be better placed as expectations continue to tighten across procurement, insurance and regulation alike.