Guidance
Frequently asked questions
Published 22 April 2026
© Crown copyright 2026
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/cyber-resilience-pledge/frequently-asked-questions
| Question | Answer |
|---|---|
| Does taking the pledge protect me from cyber attacks? | Taking the actions contained within the pledge will have an immediate positive impact on your organisation’s resilience to cyber attacks. However, it does not guarantee protection from all cyber attacks. Organisations should therefore continue to take additional measures to enhance their resilience. |
| What organisations can sign the pledge? | The pledge has been designed primarily for medium and large organisations. However, organisations of any size in any sector can sign the pledge and we encourage all to do so. |
| Will DSIT monitor adherence to the pledge? | As this is a voluntary pledge, there is no formal assurance mechanism. Some of the pledge actions, such as signing up to both the Early Warning Service and the Cyber Essentials Supplier Check tool can be reviewed by DSIT. It is possible that in some instances, incompletion of an action may result in the company either withdrawing or being removed from the pledge. |
| If my company signs the pledge, is it an on-going commitment? Will our status be reviewed? | Companies that sign the pledge are committing to providing an annual public update on their progress. At that point, given that developing cyber resilience is an on-going endeavour, we would expect pledging companies to reaffirm their commitment and to undertake the actions on an annual basis. Additionally, given that the threat landscape is evolving and new complex cyber threats may emerge, government will continue to review the suitability of the pledge, with the potential of refining the actions at the end of a 12-month cycle. |
| Where does the pledge fit within the wider government cyber security advice, guidance and tools? | The NCSC and government have produced a wide range of advice, guidance and Codes of Practice to help organisations develop secure technology and build cyber resilience. The 3 actions of the pledge are a fundamental part of this holistic package of support and are the foundational actions to building economy-wide cyber resilience. |
| What is the relationship between the pledge and the Cyber Security & Resilience Bill? | The government is increasing protections for essential and digital services through the Cyber Security and Resilience Bill (CSRB), which, via secondary legislation, will set security and resilience requirements designed to be consistent with the NCSC’s Cyber Assessment Framework (CAF) and other good practice frameworks. The pledge has not been specifically designed for organisations in scope of CSRB. However, the 3 actions in the pledge, which are based on learnings from previous attacks, remain essential and can help achieve outcomes in the CAF. |
| Can any organisation sign up to NCSC’s Early Warning service? | The Early Warning Service is available for UK entities only. |
| Why does the pledge not ask organisations to become Cyber Essentials certified themselves? | All organisations should seek to become Cyber Essentials certified and we encourage pledging organisations to do so. It is effective for organisations of all sizes, in all sectors and many large companies have achieved Cyber Essentials or Cyber Essentials Plus. While organisations should ensure they have implemented appropriate controls relative to their risk profile, this action focuses on raising the security baseline across UK supply chains to drive resilience at scale. |
| Is Cyber Essentials a sufficient standard for my supply chains cyber security? | Cyber Essentials is the minimum standard of cyber security recommended by the government for organisations of all sizes. For many suppliers, Cyber Essentials certification alone will not provide sufficient assurance. Depending on the risk a supplier poses to your security, the protection of your data and ability to deliver your own services, you may ask for additional cyber security assurance. |
| What support is available to help organisations embed Essentials across their supply chains? (for suppliers) | For suppliers - the Cyber Advisor scheme provides NCSC assured consultancy, designed to help small and medium organisations improve their cyber security and certify to Cyber Essentials. Currently, customer organisations can purchase a package of Cyber Advisor hours to allocate to suppliers. |
| What support is available to help organisations embed Essentials across their supply chains? (for customers) | For customers - NCSC and DSIT have published a Cyber Essentials Supply Chain Playbook which provides practical guidance on how to embed Cyber Essentials within supply chains. The Cyber Essentials delivery partner, IASME, also provide a range of support services to organisations looking to require it in their supply chains. |
| I have hundreds/thousands of suppliers. Am I meant to require this from each and every one? | Cyber Essentials is proven to be effective. Where some organisations have mandated it from their third parties, they see up to an 80% reduction in incidents. Therefore, the more companies that have Cyber Essentials in your supply chain, the more resilient it will be. However, we recognise that for some companies with complex supply chains this will take time. The pledge invites boards to take a risk-based approach to requiring Cyber Essentials across their supply chain, which may result in requiring it from all suppliers. |
| Is Cyber Essentials only relevant for my suppliers? | No. Cyber Essentials can provide assurance that any business partner has put in place fundamental controls that protect against common cyber attacks. Organisations should seek assurance from all business partners that the Cyber Essentials controls are in place and to seek for independent verification through certification where possible. |
| I have lots of international suppliers – is Cyber Essentials still relevant? | The principles behind the Cyber Essentials scheme are universally relevant and the controls are important for businesses all over the globe. If your suppliers operate internationally, the most effective approach is to ask them to demonstrate they meet equivalent basic controls to those defined in Cyber Essentials. |
| Do multinational organisations, with boards based outside of the UK, need to complete the NCSC Cyber Governance Training? | The NCSC Cyber Governance Training supports boards to implement the Cyber Governance Code of Practice. We encourage pledging organisations with non-UK based boards to undertake the NCSC Cyber Governance Training annually but complementary training offerings in their respective geographies, that support the adoption of the principles outlined in the Governance code, would be acceptable. |
| My organisation complies with other governance standards instead of the Cyber Governance Code of Practice. Can we still sign the pledge? | When the Cyber Governance Code of Practice was published, it was done so alongside a cyber governance mapping tool. This free tool illustrates similarities and differences between the Code and existing standards, such as NIST and ISO27001. For some standards and frameworks, you may need to take a few additional actions. We encourage you to use the tool to check whether you have any governance gaps. |
| Will publicly committing to the pledge increase my organisation’s exposure to cyber threats? | There is no evidence to support this as the majority of cyber attacks are not targeted at specific companies. The majority of cyber attacks are typically commodity attacks that seek to exploit known vulnerabilities – which the 3 actions in the pledge can help companies combat. Signing the pledge does not mean that an organisation is not already doing some/all of the actions and it should not be viewed as a public declaration that an organisation has not taken the prescribed steps. |
| Our company works in the defence sector and supplies MoD. Is the pledge a suitable substitute for Defence Cyber Certification (DCC)? | No. The Pledge should not act as a substitute for the Defence Cyber Certification (DCC). The DCC is an organisation‑wide cyber security certification framework for UK defence suppliers. It provides a single, organisation-level, assurance which can be presented in support of UK Defence Procurements (subject to annual attestation and re-certification every 3 years). We recommend you speak to your contact at the MOD to discuss the DCC further. More information about you can become certified can be found on IASME’s website: Defence Cyber Certification - Defence Cyber Certification |