The warnings issued by Five Eyes and the National Cyber Security Centre (NCSC) highlight how artificial intelligence (AI) is accelerating cyber threats and reinforcing the importance of getting the fundamentals right. Since then, another important initiative deserves attention.
Announced by ministers at CYBERUK 2026, the UK Government’s Cyber Resilience Pledge is a positive step towards raising the profile of cyber resilience at board level. It signals a clear intention to encourage organisations to take greater ownership of cyber risk and strengthen the UK’s overall resilience. That ambition should be welcomed.
What is the Cyber Resilience Pledge?
The pledge is built around three commitments. First, organisations should make cyber resilience a board-level responsibility, ensuring that cyber risk is owned and governed at executive level. Second, organisations are encouraged to enrol in the NCSC’s Early Warning service, enabling them to receive timely notification of malicious activity affecting their internet-facing services. Third, organisations are asked to require Cyber Essentials across their supply chains, helping to improve the baseline level of cyber hygiene amongst suppliers.
Collectively, these commitments seek to improve leadership, strengthen threat awareness and encourage better security practices across UK organisations. They represent a positive step forward.
However, the pace at which cyber threats are evolving, particularly through AI, raises an important question.
Are these three commitments enough for the threat landscape organisations face today?
A positive direction of travel
The most encouraging aspect of the pledge is that it places cyber resilience firmly within the responsibility of boards and executive leadership. For many years cyber security has been viewed as a technology problem delegated to IT departments and security teams. That mindset is changing, and rightly so. Recent attacks against retailers, healthcare providers, universities and public services have demonstrated that cyber incidents are fundamentally business resilience events. They affect customers, operations, reputation and financial performance. Board ownership of cyber risk should therefore become the norm rather than the exception.
The Cyber Security and Resilience Bill, currently progressing through Parliament, reinforces this direction of travel. However, it is important to recognise that it is not yet law. Even when enacted, its primary regulatory focus will remain on operators of essential services, relevant managed service providers, data centres and designated critical suppliers, rather than the wider UK economy. While this represents an important strengthening of resilience across critical sectors, the majority of organisations will continue to rely upon guidance, good governance and voluntary adoption rather than statutory obligations.
This is why the Cyber Resilience Pledge matters. It helps broaden the conversation beyond regulated organisations and reinforces that cyber resilience is a leadership responsibility rather than simply a compliance exercise.
The three commitments are necessary – but no longer sufficient
I support all three commitments contained within the pledge. Strong board governance, improved threat awareness, and encouraging better cyber security standards across supply chains are all worthwhile objectives.
The challenge is not whether these commitments are valuable. The challenge is whether, on their own, they are sufficient to deal with the realities of today’s cyber threat landscape. AI is changing the economics of a cyber-attack. Software supply chains have become significantly more complex. Organisations increasingly rely on cloud platforms, SaaS applications, open-source software, APIs and AI services. Identity has become the new security perimeter. Threat actors are increasingly operating at machine speed.
Against that backdrop, cyber resilience must evolve beyond governance, compliance and point-in-time assurance towards continuous measurement, continuous validation and adaptive defence.
Threat intelligence must come from multiple sources
The pledge encourages organisations to enrol in the NCSC Early Warning service. This is undoubtedly a valuable capability and one that many organisations should adopt. The NCSC performs a vital role in protecting UK organisations and providing intelligence that would otherwise be unavailable.
However, effective threat intelligence has never relied upon a single source of information. Today’s threat landscape evolves too rapidly for any individual government agency, commercial provider or intelligence organisation to possess complete visibility. The most mature Security Operations Centres (SOCs) combine intelligence from government agencies, commercial providers, sector information-sharing groups, internal telemetry, dark web monitoring and global threat research. Increasingly, artificial intelligence is helping correlate these signals, identify patterns and prioritise emerging threats.
Government intelligence should form part of the picture and it should never become the only picture. Diversity of intelligence creates resilience.
Supply-chain security is more than supplier certification
The pledge asks organisations to acquire Cyber Essentials across their supply chains. Encouraging suppliers to adopt recognised security standards is undoubtedly good practice and should be supported.
Cyber Essentials provides a practical and effective baseline for improving cyber hygiene, particularly for small and medium-sized enterprises. By focusing on secure configuration, identity and access management, vulnerability management, malware protection and patching, it helps organisations establish a solid foundation upon which they can build their cyber security capability.
However, the challenges facing large, complex organisations are fundamentally different. Today’s enterprises operate highly interconnected digital ecosystems spanning cloud providers, SaaS platforms, AI services, APIs, open-source software and global technology partners. Cyber Essentials was never intended to provide comprehensive assurance across these environments, nor to address the risks associated with modern software supply chains and inherited dependencies.
That is why Cyber Essentials should be viewed as possible foundation rather than a complete measure of cyber resilience, especially when other frameworks exist which provide a risk based approach which may be more appropriate to your organisation, for example NIST, ISO27001, and CAF.
Supplier assurance and software supply chain assurance are no longer the same thing. Certification demonstrates that an organisation achieved a recognised baseline at a particular point in time. It cannot provide continuous assurance that software dependencies remain secure, identities remain protected or inherited vulnerabilities have not emerged. Modern resilience requires continuous visibility of software composition, software bills of materials (SBOMs), third-party identities, attack surface exposure and inherited risk alongside traditional supplier assurance.
Cyber health must become the measure of success
Perhaps the greatest opportunity created by the Cyber Resilience Pledge is to move the national conversation beyond compliance and towards cyber health. Boards should increasingly ask questions such as:
- Are our identities protected?
- Are vulnerabilities reducing?
- Are our detections working?
- Can we detect lateral movement?
- Have we exercised our recovery capability?
- Would we know if an attacker bypassed our preventative controls?
These questions provide a far more meaningful understanding of resilience than whether a policy has been approved or a certification has been achieved. Continuous threat simulation, Continuous Threat Exposure Management (CTEM), attack path analysis, resilience exercises and AI-assisted security operations should increasingly become part of normal cyber operations rather than specialist activities.
In an AI-driven threat landscape, assumptions become dangerous. Continuous testing and validation are essential.
A Field CISO’s perspective: How the Cyber Resilience Pledge could go further
The Government deserves considerable credit for placing cyber resilience firmly on the board agenda. That conversation is long overdue, and the Cyber Resilience Pledge is a positive step in encouraging organisations to think differently about cyber risk.
However, the pledge should be viewed as the beginning of the conversation rather than the destination.
The three commitments encourage better governance, improved threat awareness, and stronger supplier security. They are all worthwhile, but they represent only part of the foundations required to build genuine cyber resilience. As the threat landscape evolves through AI, increasingly complex software supply chains, and faster-moving adversaries, organisations need to move beyond these initial measures.
Future versions of the pledge should encourage organisations to measure improvements in cyber health rather than simply confirming participation. They should recognise that threat intelligence is strongest when multiple trusted sources are combined and operationalised. They should acknowledge that software supply chain assurance now extends well beyond supplier certification and requires continuous visibility of dependencies, identities, and inherited risk.
Continuous validation should become an expected part of good cyber governance. Threat simulation, breach and attack simulation, adversary emulation, CTEM, and resilience exercises provide evidence that security controls are operating effectively. They move organisations from assuming they are protected to knowing how well they are protected.
Finally, the pledge should explicitly recognise the role of AI in cyber defence. If Five Eyes is correct that attackers will increasingly use AI to accelerate offensive operations, then defenders must be equally ambitious in adopting AI to improve detection, investigation, threat hunting, and response. AI-augmented SOCs and Managed Detection and Response (MDR) services are rapidly becoming essential components of modern cyber resilience.
The Cyber Resilience Pledge is a welcome initiative because it raises the conversation where it matters most – in the boardroom. However, the next stage of the UK’s cyber resilience journey should move beyond governance and compliance towards measurable cyber health, continuous validation, intelligence-led operations, software supply chain assurance, and AI-enabled defence.
Good cyber hygiene provides the foundation.
Continuous validation provides the confidence that those foundations remain effective.
Resilience is the outcome.
That, in my view as a Field CISO, is where the UK’s cyber resilience strategy should now be heading.
Find out more
Contact us if you would like to discuss how to strengthen your organisation’s cyber security and data security.

















