The government is increasing pressure on businesses to treat cyber security as an operational and boardroom issue, tying a new Cyber Resilience Pledge to the wider progress of the Cyber Security and Resilience Bill through Parliament. In its announcement, ministers presented the pledge and the bill as linked parts of a broader effort to protect the economy and the essential services that depend on digital systems. The policy case set out by government is that cyber incidents now carry direct consequences for public service continuity and economic activity. Energy networks, water systems, healthcare providers and data centres all depend on digital resilience, which means cyber risk is being handled less as a narrow technical matter and more as a mainstream issue of national infrastructure and business continuity.
The Cyber Resilience Pledge, due to launch later in 2026, asks organisations to take three steps that are notable for their governance focus. Companies are being asked to make cyber security a board-level responsibility, join the National Cyber Security Centre's free Early Warning Service and require Cyber Essentials certification across their supply chains. For employers, that has immediate practical effects. Board ownership would need to be clearer, procurement teams would need to test suppliers against a recognised baseline, and cyber assurance would move further into routine contract management. The government says ministers have already written directly to leading companies to encourage participation, and that £90 million is being committed to improve cyber resilience across the wider economy.
The legislative backdrop is central to the announcement. The Cyber Security and Resilience Bill is due to continue through Parliament following the King's Speech, and ministers are presenting it as a long-term framework for raising expectations around critical national infrastructure. The government's stated objective is to reduce the risk of disruption to services that households and businesses rely on every day. That framing matters for operators in energy, water, healthcare and data centres, as well as for the contractors and technology suppliers that support them. Even before the bill completes its passage, the direction of travel is clear: stronger resilience requirements, closer scrutiny of operational weaknesses and less tolerance for insecure supply chains.
The government is pairing that regulatory message with an industrial one. According to official figures published alongside the announcement, UK cyber security sector revenue rose by 11% over the last year to £14.7 billion, while the number of firms increased by 20% to 2,603. The same release says the sector created 2,300 jobs over the year. Those figures are being used to show that cyber policy is not only about reducing harm. Ministers are also presenting the sector as a source of skilled employment, investment and domestic capability. In policy terms, the message is that higher resilience standards and sector growth are being pursued together rather than as separate agendas.
The threat picture described by ministers is centred on the growing role of AI in offensive cyber activity. Government figures show 43% of UK businesses experienced a cyber breach or attack in the past year, and the announcement argues that newer AI models are lowering the barrier for attackers to identify vulnerabilities and carry out attacks more quickly and at greater scale. Ministers also pointed to research from the AI Security Institute on frontier models including Mythos and GPT 5.5. The conclusion drawn in the government statement is that traditional protections on their own are no longer sufficient. Organisations are instead being encouraged to build systems that can detect issues earlier, contain disruption and recover more quickly when incidents occur.
Institutionally, the government is relying on two public bodies to support that argument. It says the AI Security Institute provides an advanced capability for assessing frontier AI systems, while the National Cyber Security Centre continues to publish practical guidance that businesses can use. Together, those institutions are being positioned as the technical base for a more interventionist cyber policy. Cyber Security Minister Baroness Lloyd framed the issue in economic as well as security terms, describing cyber security as fundamental to growth, job creation and the resilience of everyday services. That wording is important because it places cyber controls within normal business governance and public-service assurance, rather than treating them as specialist measures for technology teams alone.
For businesses, the immediate policy signal is straightforward even before the pledge formally opens and the bill completes its parliamentary stages. Senior leadership teams are being asked to show direct ownership of cyber risk, check whether NCSC services are being used and review whether supplier contracts should depend on Cyber Essentials certification. For essential-service operators and public authorities, the announcement points to a firmer compliance environment over time. For the wider market, it suggests that cyber resilience is moving further into regulation, procurement and board oversight. Taken together, the government's package reads less like a standalone campaign and more like a coordinated attempt to tighten expectations across infrastructure, supply chains and the broader economy.