Informd

UK Cyber Resilience Pledge: What Every Board Must Do Now

UK Cyber Resilience Pledge: What Every Board Must Do Now

The UK Government’s Cyber Resilience Pledge, announced at the NCSC’s CYBERUK conference on 22 April 2026, formally makes cybersecurity a board-level obligation for FTSE 350 companies and major UK employers. Ministerial letters have already landed on CEO and chair desks across the country — and the public list of signatories will be published this summer.

This is not a compliance exercise for the IT team. It is a direct accountability shift to the boardroom, and senior leaders who treat it as such will be better positioned than those who don’t.

What Is the UK Cyber Resilience Pledge — and Who Is It For?

The Cyber Resilience Pledge is a voluntary commitment scheme introduced by the Department for Science, Innovation and Technology (DSIT), aimed initially at FTSE 350 organisations and other large UK employers. It accompanies a broader £90 million government investment in national cybersecurity infrastructure, announced at the same CYBERUK event in Glasgow.

The word “voluntary” should not mislead. A ministerial letter addressed to CEOs and chairs of FTSE 350 companies has explicitly invited them to sign. When the public register of signatories is published in the summer, the organisations that have not signed will be conspicuous — to investors, clients, regulators, and counterparties alike. According to DSIT, the Pledge is designed to “end plausible deniability” for executives on cyber risk.

For boards of mid-to-large UK organisations outside the FTSE 350, the direction of travel is clear: what is voluntary today has a strong precedent for becoming mandatory tomorrow, as has been the pattern with TCFD climate reporting and UK GDPR accountability frameworks.

What Does the Pledge Actually Require of Your Board?

Organisations signing the Cyber Resilience Pledge commit to three specific actions, each with defined timelines:

  • Make cyber a board-level responsibility. All board members must complete the NCSC’s Cyber Governance Training within three months of signing, and then annually. This is not optional for individual directors — it applies to the full board.
  • Register for NCSC Early Warning. This free government service provides real-time alerts when your organisation’s assets are implicated in known threats or data breaches. Signing up is straightforward; failing to do so after making a public commitment is not a good look.
  • Require Cyber Essentials across your supply chain. Organisations must register to the Cyber Essentials Supplier Check Tool within two months of signing and conduct a comprehensive audit of supplier coverage. For organisations with complex supplier networks, this is the commitment that will demand the most operational effort.

Taken together, these three actions create a governance chain: the board is accountable, the organisation is monitored in near-real-time, and third-party risk is actively managed rather than assumed. This mirrors the logic of the FCA’s existing Senior Managers and Certification Regime (SMCR), where individual accountability is traceable and documented.

Why Are UK Organisations Already Accelerating Cyber Investment?

The Pledge arrives at a moment when UK boardrooms were already shifting their cyber posture — but not always fast enough. According to KPMG research published in January 2026, cybersecurity has emerged as the top technology spending priority for UK organisations in 2026, with 57% planning to increase their cyber budget by more than 10% over the next twelve months. Globally, only 41% of organisations are planning the same level of increase — a significant gap that reflects the intensity of the UK regulatory and threat environment.

A separate PwC survey found that more than 85% of UK businesses plan to increase cyber spending in 2026, with supply chain interdependencies and AI-enabled threats cited as the primary drivers. The NCSC’s Annual Review consistently notes that the gap between board awareness and board competence on cyber risk remains the most significant governance vulnerability in UK organisations.

The Pledge directly addresses this gap — not by asking boards to become technical experts, but by requiring them to complete structured governance training and to own the accountability framework.

How Should Boards Approach Cyber Governance After Signing?

Signing the Pledge is the beginning of a governance posture, not the end. Senior leaders who want to move from compliance to genuine resilience should consider the following:

First, ensure cyber risk has a standing agenda item at board level — not just an annual review, but a quarterly discussion tied to threat intelligence, incident metrics, and supply chain assurance. The NCSC Cyber Governance Training provides a structured framework for what boards should be asking their CISO or technology leads.

Second, map your material third-party suppliers against Cyber Essentials coverage before the two-month supplier audit deadline arrives. Many organisations will find gaps they were not aware of — identifying them proactively is far preferable to discovering them after an incident.

Third, consider how cyber risk sits alongside your existing ISO 27001 or NIST framework commitments. The Pledge is complementary to — not a replacement for — existing certification regimes. Boards with mature information security management systems will find the transition easier; those without a baseline framework should use this moment to establish one.

Executive Action

  • Review the Pledge commitments against your current board governance structure. Identify which of the three actions — board training, Early Warning registration, supply chain audit — requires the most lead time and assign an owner before the summer launch.
  • Brief your board chair on the reputational dimension: the public signatory register means that non-participation is a visible signal to investors and enterprise clients, particularly those with their own supply chain assurance requirements.
  • Schedule NCSC Cyber Governance Training for all board members now rather than waiting for the three-month post-signing window. The training is free, structured for non-technical executives, and takes less than a day to complete.

INFORMD provides intelligence briefings for senior business leaders across technology, finance, strategy, and compliance. Based in Milton Keynes, UK, we help executives stay informed and act with confidence. Explore our full library of executive briefings or speak to our team.

Stay ahead. Subscribe to INFORMD’s executive briefing at informd.co.uk/services.

Frequently Asked Questions

Is the UK Cyber Resilience Pledge mandatory for FTSE 350 companies?

Not currently — it is framed as a voluntary commitment. However, ministerial letters have been sent directly to CEOs and chairs of FTSE 350 organisations, and a public register of signatories will be published in summer 2026. Given that non-participation will be visible to investors, regulators, and enterprise clients, the practical pressure to sign is significant. Many governance observers expect elements of the Pledge to become mandatory requirements within the next regulatory cycle, following the precedent set by TCFD and UK GDPR.

What is the NCSC Cyber Governance Training and who must complete it?

The NCSC Cyber Governance Training is a free, structured programme designed specifically for non-technical board directors and senior executives. It covers cyber risk as a strategic and financial issue, board oversight responsibilities, and how to engage effectively with technical teams. Under the Pledge, all board members — not just those with technology portfolios — must complete the training within three months of signing, and then annually. It is available directly via the NCSC website and requires no prior technical knowledge.

What does requiring Cyber Essentials across the supply chain mean in practice?

Cyber Essentials is a UK Government-backed certification scheme covering five foundational security controls: firewalls, secure configuration, access control, malware protection, and patch management. Requiring it across your supply chain means verifying that your material third-party suppliers hold valid Cyber Essentials certification. Under the Pledge, signatories must register with the Cyber Essentials Supplier Check Tool within two months and complete a comprehensive supplier audit. For organisations with large or complex supplier networks, this is likely to be the most operationally intensive element of the commitment.

How does the Cyber Resilience Pledge relate to existing frameworks like ISO 27001 or DORA?

The Pledge sits alongside — not instead of — existing information security and operational resilience frameworks. Organisations that already hold ISO 27001 certification or are implementing DORA (the EU Digital Operational Resilience Act, which affects UK financial services firms with EU operations) will find the Pledge’s governance requirements largely complementary. DORA’s requirements around ICT risk management, third-party oversight, and incident reporting align closely with the Pledge’s supply chain and early warning commitments. However, organisations cannot use existing certifications as a substitute for the board training requirement — that element is specific to the Pledge.

Related Tools & Templates: Apply a structured framework to your board agenda — use the Project Review Tool or test your AI & Tech Governance knowledge. Explore all INFORMD executive tools and assessments →

The Informd Editorial Team

Leave a Reply

Your email address will not be published. Required fields are marked *