A supplier agreement is waiting for approval.
The service is already in use, the relationship is established and the renewal date is close enough that delaying the decision could create an operational problem of its own. The paperwork confirms the price, the term and the level of support. The supplier has answered the usual questions, and nobody around the table has raised a particular concern.
Approving the renewal feels like the sensible thing to do.
Then somebody asks what access the supplier has to the organisation’s systems.
The answer is not immediately clear. One person believes the supplier can only see the platform it manages. Another remembers an administrator account being created during onboarding. The original technical contact has since left, and the documents in front of the board were written to support the commercial decision, not explain the cyber exposure.
Nothing has gone wrong. There is no obvious warning, no incident demanding attention and no reason to assume that the supplier cannot be trusted.
The difficulty is quieter than that. A decision is being made about an important digital relationship, but the information needed to judge the cyber risk sits somewhere else in the organisation — or may never have been brought together at all.
This is the kind of gap the UK Cyber Resilience Pledge is trying to address.
The pledge is not built around a new security product or a demand that every director becomes a technical specialist. It brings together three existing areas of good practice: clearer board responsibility, earlier warning of potentially malicious activity and stronger assurance across supply chains.
On paper, those are three commitments.
In practice, they are three parts of the same question:
When cyber risk appears inside an ordinary business decision, is the organisation ready to recognise it, own it and act on it?
What is the Cyber Resilience Pledge?
The Cyber Resilience Pledge is a voluntary public commitment created by the UK Government to strengthen cyber resilience across organisations and their supply chains.
It was published on 22 April 2026 and formally launched at Number 10 Downing Street on 7 July 2026. The official communications pack describes it as a way for government and industry to work together around practical actions that can strengthen resilience across the wider UK economy.
Organisations that sign agree to three central commitments:
- Make cyber security a board-level responsibility.
- Register for the National Cyber Security Centre’s Early Warning service.
- Take a risk-based approach to Cyber Essentials across the supply chain.
They also agree to encourage these actions among their suppliers, publish the signed declaration on their website and provide an annual public update on the steps they have taken.
That makes the pledge more than a public statement of support.
A business is not simply agreeing that cyber security matters. It is agreeing that particular people will take responsibility, particular services will be used and particular supplier decisions will be examined rather than assumed.
The pledge remains voluntary, and signing it does not guarantee protection from every cyber attack. Organisations of any size and in any sector can take part, although some of the supporting governance material was designed primarily with medium and large organisations in mind.
Its value therefore does not sit in the act of signing alone. It sits in what changes after the signature is added.
Why these three commitments belong together
Return to the supplier agreement.
The board now knows there is a question about access, but that does not automatically tell anyone what to do next.
Who owns the decision? Should the supplier be asked for further evidence? Is the existing assurance proportionate to the systems it can reach? Would Cyber Essentials be enough, or does the relationship justify something more detailed? If the supplier experienced a cyber incident next week, who inside the organisation would receive the first warning and who would decide how to respond?
These questions cut across governance, technical information, procurement, continuity planning and everyday responsibility.
That is why cyber risk can remain difficult to manage even when everybody involved is capable and acting reasonably.
The person leading procurement is trying to maintain the service. The board is trying to make a proportionate commercial decision. The IT provider may believe its responsibility begins after a technical issue has been reported. The supplier may have provided exactly the information it was asked to provide.
Each part of the process can appear sensible on its own.
The weakness appears between them.
Cyber resilience depends on whether those separate responsibilities connect when a real decision has to be made. The pledge approaches that problem from three directions: leadership must own the risk, warning information must reach the organisation, and supplier trust must be supported by appropriate assurance.
Taken separately, each action is useful.
Taken together, they begin to create a route from uncertainty to action.
Making cyber security a board responsibility
The first pledge commitment is to implement the Cyber Governance Code of Practice and ensure board members complete the NCSC’s Cyber Governance Training within three months of signing, and then annually.
This matters because digital technology is no longer a supporting detail sitting at the edge of most organisations.
It carries payroll, invoicing, customer records, internal communication, operational systems, service delivery and supplier access. A decision about a digital platform can also be a decision about whether staff can work, whether customers can be served and whether the organisation can continue operating during disruption.
The Cyber Governance Code was created to help boards and directors govern those risks. The government’s guidance recognises that many boards still have limited meaningful oversight of the technology on which critical operations depend.
Board responsibility does not mean directors personally configure systems, investigate alerts or assess every technical control.
It means they remain responsible for making sure somebody can.
That distinction is important.
It would be easy for a smaller organisation to interpret board responsibility as another layer of formal governance that belongs to larger companies with security teams, risk committees and specialist advisers. It would be equally easy for a larger organisation to assume that the existence of those teams means the board’s responsibility has already been dealt with.
Neither assumption is enough.
The practical test is whether responsibility remains clear when the answer is uncertain.
In the supplier renewal, the board does not need to inspect the supplier’s systems. It does need to know whether the access has been understood, whether suitable assurance has been obtained, who has reviewed it and who is authorised to accept any remaining risk.
If nobody can answer those questions, the problem is not simply missing technical information. It is missing ownership.
The NCSC’s board training supports this shift without expecting directors to become cyber experts. Its modules cover risk management, strategy, people, incident planning, response and recovery, and assurance and oversight. The emphasis is on helping boards ask better questions and put the Code’s actions into practice.
That changes the board conversation.
Instead of receiving a general update that cyber security is being managed, leaders can ask what important services depend on, which risks are being carried, where supplier access exists, how recovery has been planned and what would require their involvement.
The purpose is not to pull every operational decision upwards.
It is to stop significant decisions from falling into the space between operational teams, technical providers and senior responsibility.
When an early warning reaches the organisation
A few weeks after the supplier renewal, a notification arrives.
It relates to potentially suspicious activity associated with one of the organisation’s public-facing systems. The email contains technical information, but the message does not say that an incident has definitely occurred. It provides an indication that something may need attention.
The person receiving it has other work in progress.
There are customer issues to resolve, a meeting starting shortly and no visible sign that the system is failing. Forwarding the notification to the usual technical contact feels like a responsible response. Once it has been sent, the work continues.
That decision makes sense.
The alert has gone to someone better placed to understand it. There is no reason to create unnecessary disruption before the information has been checked.
The remaining question is what happens after it is forwarded.
The second pledge commitment requires signatories to register for the NCSC’s Early Warning service within one month. The free service uses registered public IP addresses and domain names to send UK organisations notifications about potentially malicious activity, malware, vulnerabilities and exposed services that may affect them.
Registration itself is deliberately straightforward. The NCSC says it can take around five minutes.
The organisational work begins after that.
An alert only improves resilience when it reaches somebody who can interpret it, investigate it or move it to the right place. If it lands in an inbox that is rarely checked, reaches a former member of staff or is forwarded without clear ownership, the organisation has received the warning without gaining much of the time that warning was intended to provide.
This is another example of how cyber resilience depends on decisions rather than information alone.
The service can identify something that deserves attention. It cannot decide who inside the organisation should care, what level of concern is proportionate or how quickly somebody needs to respond.
Those decisions need to exist before the alert arrives.
Who receives the notifications? Who provides technical interpretation? What happens when the usual contact is unavailable? Which findings can be handled routinely, and which need to reach leadership or continuity planning? How is the outcome recorded so the organisation knows the issue was actually closed?
The alert does not need to trigger panic.
It needs a route.
When that route is clear, people do not have to choose between ignoring a technical message they do not fully understand and escalating every notification as though an incident is already underway. They can pass it into an agreed process where the judgement is supported.
That is what turns early warning into earlier action.
Trusting suppliers without relying on familiarity alone
The supplier from the opening may have worked with the organisation for years.
Its staff are known, the service is reliable and previous problems have been resolved quickly. That history matters. Strong supplier relationships are often built on responsiveness, familiarity and repeated evidence that people will do what they say.
None of that should be dismissed.
The difficulty is that a trusted commercial relationship and suitable cyber assurance are not the same thing.
A supplier can be helpful, professional and dependable while still having access arrangements that have not been reviewed for some time. Its own systems or supply chain may have changed. The service may now handle more information than it did when the agreement began. An administrator account created for a temporary task may still exist because removing it never became anybody’s immediate priority.
When the service is working and the relationship feels familiar, reopening those questions can seem unnecessary. The renewal is approaching, continuity matters and asking for more evidence may slow down a decision that otherwise feels straightforward.
That is precisely when familiarity can begin to stand in for assurance.
What recent incidents show about supply-chain dependence
The importance of this is no longer theoretical. In 2025, Marks & Spencer confirmed that attackers gained access to its systems after tricking employees working for a third-party contractor. The incident disrupted online operations and other parts of the business for months.
Harrods later disclosed a separate incident in which personal information belonging to some online customers was taken from a system operated by one of its third-party providers. The breach did not begin inside Harrods’ own systems, but the customer relationship and responsibility for explaining what had happened still remained with Harrods.
The cyber incident at Jaguar Land Rover showed the other side of the same dependency. The original route into JLR has not been publicly confirmed as a third-party compromise, so it should not be presented as one. However, the disruption to JLR’s production quickly spread into its wider automotive supply chain, affecting suppliers and dealerships that depended on its operations continuing.
These incidents are different and should not be reduced to a single explanation. Together, though, they show why supply-chain resilience works in both directions.
A supplier can create a route into an organisation through the access, systems or information it holds. An incident inside a large customer can also create immediate operational and financial pressure for the smaller businesses that depend on it.
What the pledge asks organisations to do
The third pledge commitment brings that relationship into clearer view.
Signatories must register for the Cyber Essentials Supplier Check Tool within two months, audit Cyber Essentials coverage across their supply chain and present the position to the board. They must then take a risk-based approach to requiring Cyber Essentials, obtaining other suitable assurance where certification is not required.
Cyber Essentials is the government-recommended minimum cyber security standard for organisations of all sizes. It is based on five technical control areas intended to reduce exposure to common internet-based threats.
The pledge does not say that every supplier presents the same risk or that one certification answers every possible question.
A company supplying stationery does not usually occupy the same position as a payroll provider, managed IT service, hosted customer platform or organisation processing sensitive records.
A risk-based approach asks the organisation to understand that difference.
What can the supplier access? What information does it hold? How difficult would the service be to replace? Could disruption at the supplier prevent the organisation delivering its own work? Does the supplier connect directly to important systems? What assurance has been provided, and is it enough for the role the supplier plays?
For some relationships, Cyber Essentials may provide an appropriate baseline.
For others, the organisation may need more detailed assurance because the supplier presents greater risk to its systems, data or ability to operate. Cyber Essentials is a minimum standard, not a complete answer for every supplier relationship.
The useful shift is not from trusting suppliers to distrusting them.
It is from informal trust to informed trust.
The organisation can still value the relationship, recognise the supplier’s history and renew the agreement. It simply does so with a clearer understanding of what is being relied upon, what evidence supports that reliance and who owns the remaining risk.
The decision remains commercial.
It becomes better governed.
What this means for smaller organisations
For a smaller organisation, the three commitments may initially sound larger than the business itself.
There may be no separate board committee, procurement team or internal security function. The founder or director signing the pledge may also manage supplier relationships, approve expenditure, respond to operational problems and speak directly with the external IT provider.
That does not make the pledge irrelevant.
In some ways, it makes clarity even more important.
When responsibility sits with a small number of people, it is easy for cyber decisions to remain inside the flow of everything else. A supplier gets renewed between customer calls. A technical alert is forwarded during a busy morning. A continuity plan is updated when a client asks to see it, then returns to the shared folder until the next review.
None of those actions is careless. They reflect the reality of running a smaller organisation where the same person may carry several responsibilities at once.
Proportionate governance does not mean recreating the systems of a large corporate board.
It means making a few important decisions explicit.
Who owns cyber risk? Which suppliers matter most to the organisation’s ability to operate? Who receives alerts? What happens if the main technical contact is unavailable? What assurance is expected before a supplier receives access? When will these arrangements be reviewed?
The answer may be brief. The process may remain simple.
It should still be visible.
The pledge is open to organisations of every size and sector, and smaller businesses can apply the governance principles in a way that reflects their circumstances.
The point is not to create administration for its own sake.
It is to reduce the number of important decisions that depend on memory, assumption or one person happening to be available at the right moment.
Why Cyber Rebels signed the pledge
Cyber Rebels Ltd signed the Cyber Resilience Pledge and was added to the government’s official list of signatories on 10 July 2026.
We signed because the commitments reflect something we see repeatedly in organisations: cyber risk rarely stays neatly inside a technical category.
It appears while a supplier is being approved, a warning is being interpreted, an account is being created, a service is being restored or a leader is deciding whether the information in front of them is enough.
The decision may belong partly to IT, partly to operations and partly to leadership.
If nobody has defined where ownership moves from one to the other, people are left to make sensible decisions with incomplete support.
The pledge does not solve that problem on its own. It does create a clear public commitment to work on it.
For Cyber Rebels, signing means accepting responsibility for implementing the Cyber Governance Code, completing the relevant NCSC training, registering for Early Warning, reviewing Cyber Essentials across the supply chain, publishing the declaration and reporting publicly on progress.
That public element matters.
It makes the commitment easier to return to after the announcement has passed. It provides a basis for reviewing whether the actions have actually reached ordinary decisions, rather than remaining as documents, registrations or statements of intent.
The question next year should not simply be whether the pledge is still displayed on the website.
It should be whether ownership is clearer, warnings have a reliable route and supplier decisions are being made with better information.
A commitment worth making
The supplier agreement can now return to the board.
The service may still be renewed. In fact, after the relevant access and assurance have been checked, the final decision may be exactly the same as it would have been before.
The difference is not necessarily the outcome.
It is the quality of the decision.
The board understands what is being relied upon. The supplier assurance has been considered against the role the service plays. Any remaining risk has an owner. If an Early Warning notification later relates to the organisation’s network, there is a route for handling it. Leadership knows enough to ask what happened next rather than assuming the technical detail sits somewhere else.
That is what the Cyber Resilience Pledge means in practice.
It is not a promise that nothing will go wrong.
It is a commitment to make sure important cyber decisions are less likely to disappear between roles, systems and assumptions when ordinary work is moving.
Businesses considering the pledge should read the declaration carefully and discuss what each commitment would require in their own environment.
Do you agree that cyber security should remain a leadership responsibility? Are you prepared to use the government’s Early Warning service? Will you examine the assurance across your supply chain and make proportionate decisions about what suppliers need to demonstrate? Are you willing to publish the commitment and report on what follows?
Where the answer is yes, the next step is to agree how those responsibilities will be handled, have the declaration signed by the appropriate senior person and return it to the Department for Science, Innovation and Technology.
Signing the pledge is only the beginning.
But for organisations prepared to let the commitments shape real decisions, it is a useful beginning — and one worth making.
Director of Training and Development, Cyber Rebels.
Andy Longhurst is the founder of Cyber Rebels and a cybersecurity practitioner and educator focused on how risk actually shows up in real organisations. His work sits at the intersection of digital safety, education, and practical risk management — helping teams understand not just what policies say, but what happens in the moments where decisions are made under pressure.
With a background spanning adult education, web development, and technical consultancy, Andy specialises in translating complex security concepts into clear, usable understanding. Rather than focusing solely on tools or compliance frameworks, his approach centres on human behaviour, judgement, and the systems that shape everyday choices.
He delivers live, interactive cyber awareness training for organisations of all sizes, from small businesses and education providers to public-sector teams and larger organisations operating in complex risk environments.
Outside of delivery, Andy spends his time analysing emerging attack patterns, refining training design, and exploring how organisations can build resilience that holds up in the real world — usually with a strategically sized cup of tea close to hand.