Guidance

Cyber Resilience Pledge declaration

Published 22 April 2026

© Crown copyright 2026

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/cyber-resilience-pledge/cyber-resilience-pledge-declaration

Government Cyber Resilience Pledge

Following the government’s ministerial letter of 13 October 2025, [organisation name] hereby pledge to undertake the following actions, as outlined in the letter:

1. Make cyber a Board responsibility

a. Implement all actions within the Cyber Governance Code of Practice.

b. Ensure all board members undertake the NCSC’s Cyber Governance Training within 3 months and then on an annual basis.

2. Sign up to Early Warning

a. Register for the Early Warning service within one month of signing the pledge.

3. Require Cyber Essentials across supply chains

a. Register to the Cyber Essentials Supplier Check Tool within 2 months of signing the pledge.

b. Ensure that a comprehensive audit of Cyber Essentials coverage has been conducted across our entire supply chain and that it is presented to and discussed by the Board.

c. Take a risk-based approach to requiring Cyber Essentials across our supply chain (which may include requiring it from all suppliers). If Cyber Essentials is not required for certain suppliers, the board will ensure that this decision aligns with our organisations risk appetite and strategy and that adequate assurance is obtained through other means.

In addition to the above 3 actions, we commit to take the following steps:

  • Encourage these actions within our own supply chains - we will strive to engage with our suppliers to understand and better manage the cyber security risks that they are exposed to through their supply chain and encourage adoption of the above measures.

  • Publish the signed pledge declaration on our website - within 2 months, we will publish the signed pledge declaration on our company website. Additionally, we will publish an annual public update, either in our annual report or on our company website, on the steps taken to deliver against the pledge.

While the pledge is voluntary, we commit to take positive and meaningful steps to fully implement the 3 actions.  If our company has been unable to implement any of the pledge actions, we will promptly provide DSIT with relevant feedback as to why.

Signed,

[Chair/CEO name]

Back to top