The Cyber Resilience Pledge: the real story is in your supply chain 

Most of the coverage of the Cyber Resilience Pledge has focused on who’ll sign. That’s the wrong question. The more interesting one: what happens to every organisation that supplies a signatory? 

The Pledge’s third action asks signatories to require Cyber Essentials across their supply chain. When a FTSE 350 company signs, the effect doesn’t stop at their corporate perimeter. It ripples outward, through every tier of their supplier base, pulling the cyber posture of organisations of every size up with it. 

The proof point behind the Pledge’s supply chain action is a specific one: St. James’s Place, the wealth management firm, became the first UK private-sector organisation to mandate Cyber Essentials Plus across its 2,800-strong partner network. They reported around an 80% reduction in cyber security incidents after roll-out, a figure DSIT now cites in the Pledge’s own Information Pack. 

One important nuance: SJP mandated Cyber Essentials Plus, which includes an independent technical audit. The Pledge itself only asks signatories to mandate Cyber Essentials, which is self-assessed. That gap between the evidence and the ask is a clue for how to get real value out of this action: treat CE as the minimum floor for your broad supplier base, and CE+ for any supplier with access to your sensitive data or critical services. The 80% result is a CE+ outcome, not a CE one. 

What the cascade actually looks like 

A major signatory has hundreds, sometimes thousands of direct suppliers. Each of those suppliers has their own suppliers. Cyber Essentials at Tier 1 forces Tier 2 to take it seriously too, if they want to keep winning work. Within a procurement cycle, you’ve shifted the security baseline across five or six layers of the supply chain without a single piece of legislation. 

That’s why the Pledge matters even if you never sign it. If your biggest customer signs, you will feel it. 

The assessment problem 

So how do signatories actually work out where they are? Three things, broadly. 

First, the Cyber Essentials Supplier Check Tool. A new mechanism signatories register for within two months, giving the board a consolidated view of which suppliers hold a valid CE or CE Plus certification. 

Second, a comprehensive audit of current coverage, presented to and discussed by the board. For anyone with a few thousand suppliers, this is not a trivial piece of work. 

Third, a risk-based decision on which suppliers must hold CE and which can be managed through other forms of assurance. 

That third point is where the hard commercial decisions live. A catering supplier with no access to your data isn’t the same risk as your ERP integrator. The smart approach is tiered: Cyber Essentials as the baseline for your general supplier population, Cyber Essentials Plus for suppliers with access to sensitive data or critical services, and alternative assurance routes for the small number of suppliers where CE isn’t proportionate. You have to evidence those decisions, apply them consistently, and defend them to the board. 

Can you actually mandate it in contracts? 

New contracts: yes, comfortably. Add a CE requirement to your standard terms, build a verification step into supplier onboarding, done. 

Existing contracts are harder. You’re looking at contract variations, renegotiations at renewal, or a transition period for suppliers to get certified. For critical suppliers with long-tail contracts, this needs legal review and a clear commercial approach. 

International suppliers complicate things further. The government’s guidance here is pragmatic: ask them to demonstrate they meet equivalent basic controls to those defined in Cyber Essentials. CE certification remains available to overseas organisations via IASME, but equivalent controls are often the more realistic ask. 

Will commercial change be required? Yes, meaningful change. 

Most organisations mandating CE across their supply chain will need to: 

• Update contract templates to include CE requirements as standard 

• Rebuild supplier onboarding with a CE verification step 

• Train procurement teams on risk-based segmentation and the new requirements 

• Budget for certification support 

• Plan for supplier exits, because some smaller suppliers won’t get there, and you need alternatives or a derogation process 

• Review commercials, because suppliers investing in certification may pass costs on 

The organisations that do this well will have mature, auditable supplier assurance programmes within 12 months. The ones that don’t will end up with a spreadsheet, a missed renewal date, and some awkward questions at the next board meeting. 

The Pledge’s supply chain action is the one that will cost the most to implement and deliver the most lasting impact. It’s also the one most likely to be underestimated at the point of signing. 

If your organisation supplies a FTSE 350 business, when does your next contract renewal land? And will you be ready? 

 Written by James Henry, Cybersecurity Expert here at SysGroup. 

Contact us: info@sysgroup.com 

Sources: 

Cyber Resilience Pledge and the three actions: Department for Science, Innovation and Technology, Cyber Resilience Pledge, 22 April 2026. https://www.gov.uk/government/publications/cyber-resilience-pledge 

80% incident reduction figure (St. James’s Place case study): IASME, St. James’s Place mandates Cyber Essentials Plus across its internal supply chain, May 2024. https://iasme.co.uk/articles/wealth-management-firm-st-jamess-place-mandates-cyber-essentials-plus-across-network-of-partner-organisations/ 

Cyber Essentials Supplier Check Tool, Cyber Advisor scheme, and international supplier guidance: DSIT, Government Cyber Resilience Pledge Information Pack, April 2026. https://assets.publishing.service.gov.uk/media/69e79ddc9ca985145673b7d9/Government_Cyber_Resilience_Pledge_Pack.pdf 

 

Frequently Asked Questions

What is the Cyber Resilience Pledge?

The Cyber Resilience Pledge is a UK government initiative encouraging organisations to take practical steps to improve cyber resilience, including requiring Cyber Essentials across their supply chain.

What is Cyber Essentials?

Cyber Essentials is the UK government-backed minimum cyber security standard for organisations of all sizes. It focuses on five technical controls designed to prevent common internet-based cyber threats.

What is Cyber Essentials Plus?

Cyber Essentials Plus includes the same requirements as Cyber Essentials, but adds independent technical verification. This makes it more suitable for suppliers with access to sensitive data, systems or critical services.

Why does the Cyber Resilience Pledge matter for suppliers?

The pledge matters because signatories are expected to require Cyber Essentials across their supply chain. If a large customer signs, suppliers may need to prove they meet Cyber Essentials requirements to keep winning or renewing contracts.

Do all suppliers need Cyber Essentials Plus?

No. A risk-based approach is more practical. Cyber Essentials can be used as the baseline for most suppliers, while Cyber Essentials Plus is better suited to higher-risk suppliers with access to sensitive data, critical systems or essential services.

Can Cyber Essentials be added to supplier contracts?

Yes. For new contracts, organisations can add Cyber Essentials requirements into standard terms and onboarding checks. Existing contracts may require renewal discussions, contract variations or transition periods.

Does Cyber Essentials apply to international suppliers?

Yes. International suppliers can pursue Cyber Essentials certification, but in some cases it may be more realistic to ask them to demonstrate equivalent controls aligned to Cyber Essentials requirements.

What are the business benefits of Cyber Essentials Plus?

Cyber Essentials Plus provides stronger assurance because controls are independently tested. In the St. James’s Place case study, mandating Cyber Essentials Plus across its partner network was linked to an 80% reduction in cyber security incidents.