The UK government renewed its call on 12 May 2026 for organisations across the economy to sign the Cyber Resilience Pledge, the voluntary commitment first announced at CYBERUK 2026 on 22 April. The Pledge bundles three actions - board-level cyber ownership, the NCSC's free Early Warning service, and Cyber Essentials across the supply chain - into one signed, dated declaration. We unpack the three actions, why they map onto every major UK cyber story of the last twelve months, and what UK schools, charities and smaller businesses should do over the next quarter to be ready when the public signatory list opens in summer 2026.
Key takeaways
The UK government renewed its call on 12 May 2026 for organisations to sign the Cyber Resilience Pledge, the voluntary three-action commitment first announced by the Security Minister at CYBERUK 2026 in Glasgow on 22 April. The renewal was paired with the Cyber Security Sectoral Analysis 2026 (UK cyber sector up 11% to GBP 14.7 billion; AI cyber firms up 68%), framing the message clearly: the supply side of UK cyber is healthy and the demand side now has to do its part.
The Pledge has three core actions. (1) Make cyber a board responsibility by implementing the NCSC's Cyber Governance Code of Practice and having every board member complete the NCSC's Cyber Governance Training within three months and then annually. (2) Sign up to the NCSC's free Early Warning service within one month. (3) Register for the Cyber Essentials Supplier Check Tool within two months and require Cyber Essentials across the supply chain. Plus two supporting commitments: encourage the same actions in your suppliers, and publish the signed declaration on your website.
Action 1 is the part most smaller organisations underestimate. The Cyber Governance Code of Practice has five principles - risk management, cyber strategy, people, incident planning, and assurance and oversight - and the NCSC training is five free online modules of roughly twenty minutes each. A charity trustee, a school link governor or a small business non-executive can complete it across two lunch breaks. The 2025/2026 Cyber Security Breaches Survey confirms most UK organisations still lack a named board-level cyber owner; this is the action designed to close that gap on a dated deadline.
The UK government renewed its call yesterday — 12 May 2026 — for organisations across the economy to sign the Cyber Resilience Pledge, the voluntary commitment first announced by the Security Minister at CYBERUK 2026 in Glasgow on 22 April. The renewal landed alongside the publication of the Cyber Security Sectoral Analysis 2026, which reported the UK cyber industry growing 11% year-on-year to £14.7 billion, with the number of firms offering AI-specific cyber products up 68% on the previous year. The political message was unsubtle: the supply side of UK cyber is healthy; the demand side — every organisation that pays for or depends on those services — now needs to do its part.
For the schools, charities and smaller businesses ReadyToday usually writes for, the Pledge matters in three practical ways. It bundles, into one short list, the controls underwriters quietly require, the controls Cyber Essentials Danzell makes mandatory, and the supplier discipline the M&S, Co-op and Harrods stories proved was missing. Anyone who has been doing the right things for the right reasons already meets most of it. Everyone else now has a small public, signed-on-your-own-website list of what the right things actually are.
What the Pledge actually commits you to
The Pledge has three core actions and a short list of supporting commitments. None of them require new vendors or six-figure budgets. They do require attention from the people at the top of the organisation, which is the part that has historically been hardest to get.
The first action is to treat cyber security as a board-level responsibility. In practice that means implementing the actions in the NCSC's Cyber Governance Code of Practice and ensuring every board member completes the NCSC's Cyber Governance Training within three months of signing, and then annually thereafter. The training is free and online, sits in five modules of roughly 20 minutes each, and covers the Code's five principles: risk management, cyber strategy, people, incident planning, and assurance and oversight. The 2025/2026 Cyber Security Breaches Survey showed that only a minority of UK organisations have a board member with formal responsibility for cyber. This action is designed to fix that with a defined-deliverable, dated-completion expectation rather than an aspiration.
The second action is to sign up to the NCSC's Early Warning service within one month. Early Warning is a free notification service that monitors the open web for evidence that an organisation's IP addresses or domains are being scanned, attacked, or appear in indicators of compromise that the NCSC sees first. It needs nothing more than a free MyNCSC account and the IP ranges and domains you actually own. Setup takes roughly five minutes. UK-based small businesses, charities and schools have been eligible for years, but uptake has remained low — most of the small organisations we work with had never heard of it before we mentioned it.
Action 2 (Early Warning) is the cheapest, fastest win on the Pledge. The service is free, needs only a MyNCSC account and your IP ranges and domain names, and takes about five minutes to set up. It sends NCSC-curated alerts when your assets appear in scanning data, attack telemetry or indicators of compromise. For SMBs, charities and schools without a 24/7 SOC, getting an NCSC notification at 9am rather than a ransom note at 5pm is the single biggest detection improvement available to them.
Action 3 (Cyber Essentials in the supply chain) converges with everything that has been happening in UK cyber over the last twelve months. It is the same controls Cyber Essentials Danzell (mandatory since 27 April 2026) made auto-fail. It is the discipline missing in the M&S, Co-op and Harrods incidents that started with supplier helpdesk compromise. And it is the same shortlist Hiscox, Aviva, Zurich, AIG, CFC and Beazley already use when underwriting smaller-organisation cyber policies. Signing the Pledge in summer 2026 is a public statement of work that the rest of the market is already checking for.
The third action is to require Cyber Essentials across the supply chain, with a registration deadline of two months from signing the Pledge for the new Cyber Essentials Supplier Check Tool. That tool, run through the existing IASME ecosystem, is designed to make it cheap and verifiable to ask suppliers whether they hold a current Cyber Essentials certificate. The point is not paperwork. It is to push the supplier discipline that was missing in the M&S, Co-op and Harrods incidents into the bottom of the market, where most suppliers — and most of ReadyToday's audience — actually sit.
On top of those three actions, signatories commit to encouraging the same behaviour in their own suppliers and to publishing the signed declaration on their website. The formal launch — with a public list of signatories — is scheduled for summer 2026.
Why this matters for SMBs, charities and schools
The temptation, looking at the Pledge from a 30-person charity or a 600-pupil multi-academy trust, is to read it as a corporate-governance document aimed at FTSE 350 boards. That misreads it.
The Cyber Governance Code is deliberately written so the actions translate down. A primary academy trust does not have a non-executive risk committee, but it does have trustees, and the Code's question — "does the board understand what would stop the organisation operating, and what would restart it?" — is easier to answer in a small organisation than a large one. A small charity is more likely to have one person making most of the technology decisions than a FTSE company is, which means board-level cyber engagement is often just that person being asked the right questions, on the record, twice a year.
The Early Warning piece matters even more for smaller organisations. The 2025/2026 Cyber Security Breaches Survey showed 43% of UK businesses and 28% of charities experienced an incident in the last twelve months, and the dominant attack pattern is still phishing — 38% and 25% respectively. Free, automated, NCSC-curated alerts that something has gone wrong, sent before your monitoring tools see it, are disproportionately useful for organisations that do not have a 24/7 security operations team to call. The marginal cost is zero. The marginal benefit is the difference between finding out about a compromise from the NCSC at 9am and from a ransom note at 5pm.
The supply chain piece is where the Pledge stops being optional in practice. UK cyber insurance carriers — Hiscox, Aviva, Zurich, AIG, CFC, Beazley — already use Cyber Essentials certification as an underwriting input on smaller-organisation policies, as we covered in the cyber insurance renewal checklist ten days ago. Insurers will not be slow to start asking whether an applicant has signed the Pledge, and whether the applicant's suppliers carry Cyber Essentials too. Pledge signatories are essentially pre-answering several proposal-form questions, which makes renewal easier and quotes sharper. Non-signatories are not penalised, but the bar for "what good looks like" is being moved publicly.
What to do this quarter
If your organisation is going to sign the Pledge — and we think most ReadyToday-audience organisations should — the work splits cleanly across the next twelve weeks.
In weeks one and two, name a board-level owner for cyber and put the NCSC Cyber Governance Training on their calendar. If you are a charity, that is most likely a trustee with a technology or risk background. If you are a school or MAT, it is most often the trust IT-and-data lead with a named link governor. If you are a small business, it is the owner or a non-executive director if you have one. The training does not need to be done all at once — five modules at roughly 20 minutes each fits across two lunch breaks.
In weeks three and four, get the Early Warning account live. Create a MyNCSC account, add the IP ranges and domain names you own (your hosting provider can give you those in a single line item if you do not have them to hand), and route the alerts to a shared mailbox that someone reads daily.
In weeks five through eight, work on the supplier piece. Pull together a one-page list of the suppliers that hold your data, your email, your finance system, your booking or admissions system, your safeguarding records. For each one, note whether they hold a current Cyber Essentials certificate. Ask the ones that do not whether they are pursuing one, and on what timeline. Add a single Cyber Essentials clause to the next contract renewal. None of this requires a procurement function — a shared spreadsheet and twenty emails will get you most of the way.
In weeks nine through twelve, fill the small remaining gaps that the supplier check exposes, do a dry-run tabletop against a Scattered-Spider-style helpdesk reset scenario, and write a short paragraph for your website confirming that you intend to sign the Pledge when the public list opens in the summer.
The honest summary
The Cyber Resilience Pledge is the closest the UK has yet come to a single, plain-English answer to "what is the minimum bar?" — a question schools, charities and smaller businesses have been asking for years without getting a clean response. None of the three actions is new. Cyber Essentials has existed since 2014; the Early Warning service has existed since 2021; the Cyber Governance Code of Practice has been live since early 2025. What is new is that they are now bundled, publicly committed, and tied to a single signed declaration that other organisations — and underwriters — can check.
For the ReadyToday audience, signing the Pledge in the summer is a small public statement of work you should be doing anyway. The benefit is that doing it visibly, on a deadline, makes the work easier to fund, easier to delegate, and easier to explain to a board or a trustee or an underwriter. We help schools, charities and smaller businesses do that work in weeks rather than quarters — if you would like a hand, our cybersecurity resilience service and a free discovery call are the right starting points.