LegislationGB

Cyber Resilience Pledge

UK voluntary scheme requiring board-level cyber accountability and NCSC Early Warning enrolment.

Last refreshed: 29 May 2026

Timeline for Cyber Resilience Pledge

#51 May

UK cyber sector clears 14.7bn pounds

Cybersecurity: Threats and Defences

View full timeline →

Common Questions

What is the UK Cyber Resilience Pledge?: A voluntary scheme announced by DSIT in May 2026 requiring signatories to appoint a board-level cyber lead, enrol in the NCSC's free Early Warning service, and achieve Cyber Essentials certification across their supply chains. Signatories are published on GOV.UK.Source: cyber-threats-and-defences
How does the Cyber Resilience Pledge differ from mandatory cyber regulations?: The Pledge is voluntary, creating public reputational incentives rather than legal obligations. It complements but does not replicate NIS2-style mandatory security requirements that apply to operators of essential services.Source: DSIT
What is the NCSC Early Warning service and how do I sign up?: The NCSC's Early Warning service is free to UK organisations and provides alerts when your IP addresses or domains appear in threat intelligence feeds. Enrolment via the NCSC portal is one of the three Cyber Resilience Pledge obligations.Source: NCSC
When will the Cyber Resilience Pledge formally launch?: DSIT plans a formal launch in summer 2026, with signatories published on GOV.UK. The scheme was announced alongside the UK cyber sector's May 2026 figures showing £14.7 billion in annual revenue.Source: cyber-threats-and-defences

Background

The Cyber Resilience Pledge is a voluntary commitment scheme announced by the UK Department for Science, Innovation and Technology (DSIT) in May 2026, with a formal launch planned for summer 2026. Signatories commit to three obligations: appointing a designated board-level lead for cyber security; enrolling in the NCSC's free Early Warning service; and attaining Cyber Essentials certification across their supply chains. Participating organisations will be published on GOV.UK. The Pledge sits alongside a £90 million DSIT funding package targeting NHS suppliers and SMEs to raise baseline cyber resilience across the UK economy.

The Pledge responds to a consistent finding in UK cyber incident data: breaches frequently enter via supplier and third-party relationships rather than directly targeting the primary victim. By requiring Cyber Essentials certification across supply chains rather than just at the signatory, DSIT is pushing accountability down vendor tiers. The NCSC Early Warning service provides free alerting on IP addresses and domain names that appear in threat intelligence feeds, giving participating organisations visibility they would not otherwise have without a dedicated security operations capability.

For the UK cyber sector — which reported £14.7 billion in annual revenue across 2,603 companies employing 69,600 people in DSIT's May 2026 figures — the Pledge represents a soft-regulation approach that avoids imposing NIS2-style mandatory obligations while creating public reputational incentives for adoption. Its effectiveness depends on the breadth of take-up among supply-chain participants; the summer 2026 launch will test whether the voluntary model achieves meaningful coverage.

Source Material

NCSC Early Warning Service Cyber Resilience Pledge

How the World Sees Them

NCSC

Early Warning enrolment is the NCSC's free offering to extend threat visibility beyond large enterprise; the Pledge provides a structured route for SMEs and supplier tiers to join.

UK Government (DSIT)

The Pledge is the primary soft-regulation response to repeated supply-chain cyber incidents; avoids NIS2-style mandatory rules while creating public reputational pressure for adoption.

Industry (UK cyber sector)

Voluntary certification carries lighter compliance overhead than mandatory schemes; industry bodies broadly welcomed the Pledge as an achievable baseline, though enforceability remains a concern.