Is The Cyber Resilience Pledge Enough To Protect UK Businesses?

More than 60 organisations have signed the government’s new Cyber Resilience Pledge, which promises to create improved cybersecurity systems as we’re being hit by more attacks that are becoming more expensive to manage. Retailers, banks, tech companies and media organisations such as M&S, Nationwide, ITV, Microsoft UK and Cloudflare are the first signatories.

Cyber attacks cost UK organisations £14.7 billion every year, according to the DSIT and NCSC’s Annual Review 2025 says over 5 million cyber crimes were committed against UK businesses last year, which works out to about an attack every 6 seconds. The NCSC handled 204 nationally major cyber incidents in the year to September, after dealing with 89 during the previous year.

The voluntary pledge asks organisations to make cybersecurity a board responsibility, register for the NCSC’s Early Warning service while taking a risk based approach to requiring Cyber Essentials certification throughout their supply chains. Organisations also promise to publish the signed pledge on their websites and release annual updates explaining what action they have taken.

 

What Does The Pledge Ask Businesses To Do?

 

The pledge puts cybersecurity as a priority in business talks and every board member is expected to complete the NCSC’s Cyber Governance Training within 3 months of signing – and every year after that. Organisations also promise to implement the Cyber Governance Code of Practice as one of their board responsibilities.

Businesses also agree to register for the government’s Early Warning service within a month and review Cyber Essentials certification throughout their supply chains. Every organisation must complete a full audit of Cyber Essentials coverage and present the results to its board before deciding where certification should be required.

Technology Secretary Liz Kendall welcomed the launch, saying, “Today, some of Britain’s biggest businesses are taking action to strengthen their cyber defences and setting a powerful example for others to follow. By signing this Pledge, they are showing that cyber resilience is no longer just an IT issue, it is a business imperative.

“Cyber attacks can disrupt services, put customers’ data at risk and have a real impact on the bottom line. As AI makes these threats more sophisticated and easier to launch, no organisation can afford to stand still.

“That’s why we’re working with businesses to help them strengthen their defences. The steps in this Pledge are practical, achievable and proven to make a difference. Today’s signatories are leading the way, and I encourage organisations across the UK to follow their example.”

 

 

Will Signing The Pledge Protect Businesses?

 

Rocket Software believes the pledge is a useful starting point, but also that signing a document will not solve cybersecurity problems on its own.

Cynthia Overby, Director of Strategic Security Solutions, ZCOE at Rocket Software, said, “We are seeing a widespread industry shift, as organisations increasingly realise that simple compliance with regulatory demands is not enough to ensure true cyber resilience. AI is already having a significant impact on the scale and level of sophistication of ransomware attacks. Coupled with the looming threat posed by quantum computing, there is a heightened sense of urgency for businesses seeking to protect themselves. The Cyber Resilience Pledge is a step forward in acknowledging the need for stronger defences, as those involved commit to ensuring cybersecurity becomes a boardroom responsibility.

“That being said, this pledge must also be a fundamental organisational priority in order to make a difference for UK businesses. Businesses must stop seeing cybersecurity as a defensive cost that comes under the IT department’s remit without providing market advantage. When it is treated as a shared business responsibility instead, it becomes a driver for resilience and growth.”

 

What Comes After Signing The Pledge?

 

Overby believes organisations need to treat cybersecurity as an everyday business activity that needs constant checking, and not just something that you do once in a while through compliance exercises.

She said, “Effective cyber resilience can no longer just be a checklist of isolated tools and periodical audits to ensure compliance. In the modern-day threat landscape, organisations need tailor-made ecosystems that account for exactly where sensitive enterprise data is hosted, and that are rooted in continuous monitoring and zero trust models. Identity management, multi-factor authentication, third-party penetration testing and vulnerability scanning are no longer ‘nice-to-haves’.

“With the Cyber Resilience Act set to come into force in September, secure-by-design principles and fast incident reporting will become commonplace. The Pledge is a sensible foundation. Real resilience requires translating boardroom intentions into operational realities, where continuous monitoring and robust identity control are the baseline, not the aspiration for organisations.”

The government has already confirmed the pledge is a central pillar of its National Cyber Action Plan, which will explain how government and businesses will work together against cyber crime through AI powered defence tech, secure technologies and now, the new measures under the National Security Bill.