In April, at the CyberUK conference in Glasgow, the government announced a voluntary Cyber Resilience Pledge - three actions it wants organisations to commit to, with a formal launch this summer and a public list of who has signed. It is aimed at the UK's largest companies. If you run a smaller business, you might assume that means you can ignore it. You can't - and the reason is buried in commitment number three.
What signatories actually commit to
The pledge, published by the Department for Science, Innovation and Technology, contains three actions with real deadlines attached:
1. Make cyber a board responsibility. Signatories implement the government's Cyber Governance Code of Practice, and every board member completes the NCSC's cyber governance training within three months of signing - then annually. Not the IT director. The board.
2. Sign up to Early Warning. The NCSC's free Early Warning service tells organisations when their networks show signs of compromise or exposure. Signatories register within one month.
3. Require Cyber Essentials across supply chains. Signatories register with the Cyber Essentials Supplier Check Tool within two months, audit which of their suppliers hold the certification, and then require it across their supply chain.
Signatories also commit to publishing the signed declaration on their website and encouraging the same actions among their own suppliers. The formal launch this summer comes with a public announcement of who has signed - which tells you the government intends the list to carry commercial weight.
Why this reaches you even if you never sign it
Read commitment three again from the other side of the table. Every large company that signs the pledge is committing to audit its suppliers for Cyber Essentials - and then to require it. Not encourage. Require.
This is the government using procurement gravity instead of regulation. Rather than legislating minimum standards for every business in the country, it is asking the largest companies to make Cyber Essentials a condition of doing business with them - and letting commercial pressure do the rest. It has form here: the same mechanism made Cyber Essentials mandatory for much of central government supply chains years ago. This extends it to the private sector.
The timeline is worth noting. Formal launch in the summer, supplier audits within two months of signing. If your customers include larger firms - and for most of the professional services, engineering and financial services businesses we work with, they do - the letter asking about your Cyber Essentials status could plausibly arrive by autumn. The businesses that already hold the certification will answer it in one line. The ones that don't will be starting a certification process under deadline pressure, with a contract in the balance.
A pledge is, by definition, a promise
We would gently point out one thing about the format. A pledge is a statement of intent - and the gap between stating an intention and evidencing it is where most security programmes quietly fail. To the government's credit, the three actions here are all verifiable: board training is done or it isn't, Early Warning is registered or it isn't, and Cyber Essentials is pass or fail, renewed annually. The pledge only means something because the actions underneath it can be checked.
That happens to be the philosophy we've built our own business around, so we would say this - but it applies to your business too. When the supplier questionnaires start arriving, "we take security seriously" will not be an acceptable answer. A current Cyber Essentials certificate will.
What to do now
If you already hold Cyber Essentials or Cyber Essentials Plus: check it hasn't lapsed, and make sure it's visible - the Supplier Check Tool is how signatories will verify coverage, so your certification should be findable. This is about to become a commercial asset, not just a security one.
If you don't: get certified before you're asked, not after. Certification done calmly takes a few weeks; done under contract pressure it takes the same few weeks plus a strained customer relationship. Cyber Essentials Plus - the independently tested version - is worth the extra step for regulated and professional services firms, since it's the level that insurers and larger procurement teams increasingly recognise.
Whatever your size: the NCSC's Early Warning service and board training are free. There is no commercial catch. If your leadership team hasn't done the training, an hour per person closes that gap - and if you supply anyone who signs the pledge, expect to be asked whether you've taken the same three actions yourself.
Where we stand
We support clients through Cyber Essentials and Cyber Essentials Plus as part of our managed security work, and the platform underneath it - managed detection, identity protection, tested backup - is what makes certification an outcome rather than an annual scramble. And on the subject of proving rather than promising: we're working toward the Assurix trustmark ourselves, which holds MSPs to continuously monitored standards. If we're going to write articles about evidencing your security claims, it seems only fair that someone independently checks ours.
If a customer has already asked about your Cyber Essentials status - or you'd rather be ready before one does - talk to us. And if you're curious where you stand today, our free security scorecard takes a few minutes.