UK Cyber Resilience Pledge launches with 60+ firms
Cyber security stories can sound distant until a checkout stops working, a newsroom loses access to its systems, or staff cannot log in to do ordinary jobs. That is the backdrop to the government’s new Cyber Resilience Pledge, formally launched at 10 Downing Street on 7 July 2026 at a reception hosted by Technology Secretary Liz Kendall, with more than 60 organisations already signed up, including M&S, Nationwide, ITV, Microsoft UK and Cloudflare. (gov.uk)
**What the numbers mean:** the pressure is already here. The NCSC Annual Review 2025 says more than 5 million cyber crimes were committed against UK firms last year, which the government describes as roughly one every six seconds. The same review shows the NCSC handled 204 nationally significant incidents in the year to the end of August 2025, up from 89 the year before, while government-commissioned research puts the average cost of a significant attack on a UK business at almost £195,000 and the yearly cost across organisations at £14.7 billion. (gov.uk)
AI is part of why ministers are sounding more urgent. In the government’s account, artificial intelligence can help defenders, but it can also help attackers find weaknesses in software, produce code to exploit them and repeat that work much faster than before. **What this means for you:** this is not only a story about highly skilled hackers; it is also a story about ordinary criminal tools becoming faster, cheaper and easier to copy. (gov.uk)
The pledge itself is simple enough to explain in plain English. Organisations that sign up agree to make cyber security a board responsibility by following the Cyber Governance Code of Practice and getting board members through NCSC governance training. They also agree to register for the NCSC’s free Early Warning service, which alerts them to suspicious activity, and to take a risk-based approach to asking suppliers for Cyber Essentials certification. (gov.uk)
That supply-chain point matters more than it may first appear. Big organisations are often only as safe as the contractors, software providers and outsourced services connected to them, so a weak link can sit far away from the main brand. The pledge was designed for medium and large organisations but is open to organisations of every size, and the government says that more than 20 of its 39 strategic suppliers joined this first cohort of signatories. (gov.uk)
The National Cyber Security Centre is making a useful point here: the basics still matter. The same cyber hygiene measures recommended against familiar attacks are also the ones organisations should use against AI-assisted threats, only with more urgency because the pace of attacks is rising. **What resilience means in practice:** not that an organisation will never be hit, but that it can spot trouble earlier, limit the damage, recover faster and protect customers and staff more effectively. (gov.uk)
There is also a lesson about leadership. A voluntary pledge can raise standards, but a signed letter on a website is not protection by itself. The test comes later, when directors actually learn enough to ask hard questions, when warning alerts are watched rather than ignored, and when supplier checks are treated as ordinary business rather than an extra task for the IT team. Under the scheme, organisations are expected to publish their pledge and provide yearly updates on the steps they have taken. (gov.uk)
For readers outside a large company, this is still your story. If you work in a school, college, charity, clinic or local business, the same questions apply: who owns cyber risk, what happens if systems go down, and which supplier could become your weak spot? The government is presenting this pledge as one part of a wider push to raise cyber resilience across the UK economy, but the practical takeaway is smaller and more useful: good cyber security starts with clear responsibility, basic checks and acting before a problem becomes a crisis. (gov.uk)