The security and facilities management services contractors Sodexo and Mitie are among the first businesses to sign a UK Government ‘Cyber Resilience Pledge’.
Technology Secretary Liz Kendall said some of Britain’s biggest businesses were taking action to strengthen their cyber defences and setting an example for others to follow. She said: “By signing this Pledge, they are showing that cyber resilience is no longer just an IT issue – it is a business imperative. Cyber attacks can disrupt services, put customers’ data at risk and have a real impact on the bottom line. As AI makes these threats more sophisticated and easier to launch, no organisation can afford to stand still.
“That’s why we’re working with businesses to help them strengthen their defences. The steps in this Pledge are practical, achievable and proven to make a difference. Today’s signatories are leading the way, and I encourage organisations across the UK to follow their example.
DSIT (the UK’s Department for Science, Innovation and Technology) added that a ‘National Cyber Action Plan’ will set out how the government will work with industry to protect the UK from cyber threats it faces in the AI era. DSIT has been developing a UK Government Cyber Charter with its 39 strategic suppliers: companies that deliver critical services to central government.
Who’s signing
Among those signing are the defence firm QinetiQ; contractors Fujitsu Services and Capita; the high street name M&S, among retailers to suffer ransomware attack last year that disrupted business; and the Nationwide Building Society. David Boda, Chief Security and Resilience Officer at Nationwide, said: “Uplifting the cyber resilience of the UK economy is a collective endeavour that no one organisation or sector can achieve alone. As a modern mutual Nationwide Building Society are proud to play our part and be a signatory of the Cyber Resilience Pledge.”
About the Pledge
A launch was at 10 Downing Street on July 7, 2026. It’s an entirely voluntary declaration, that a business will ‘make cyber a board responsibility’; register for the Early Warning service. from the UK official NCSC (National Cyber Security Centre), giving free notifications of ‘malicious activity’; and require the basic certification Cyber Essentials across supply chains. The three points were set out in a letter by ministers including Liz Kendall to UK major company chairs and CEOs in October 2025, that stated that ‘hostile cyber activity in the UK is growing more intense, frequent and sophisticated’.
Comments
Also signing the Pledge is the cyber firm Cybersmart whose CEO and co-founder Jamie Akhtar said: “For years, cyber security has often been treated as a technical problem to solve after the fact. The Cyber Resilience Pledge reflects something we’ve believed for a long time – resilience starts with leadership, good governance and getting the fundamentals right. We’re proud to be among the first organisations to sign the Pledge. The three commitments are practical, evidence-based steps that any organisation can take today. Making cyber a Board responsibility, using the NCSC’s Early Warning service and taking a risk-based approach to Cyber Essentials across supply chains are all actions that improve resilience without creating unnecessary complexity.”
He added that organisations don’t usually become more secure by buying more technology. “They become more secure by consistently applying proven controls, building good habits and making cyber security part of how the business operates.”
Iain Davidson, Head of Product Marketing at Wireless Logic, which offers IoT (Internet of Things) devices, called the Pledge a useful step forward, but added that it won’t be meaningful if treated as a boardroom exercise rather than an operational one. He said: “AI is making cybercrime faster, cheaper and easier to scale – but the bigger issue is how dependent our economy has become on connected devices, which often sit beyond the traditional view of IT.
“Payment terminals, EV chargers, healthcare devices, logistics systems and industrial sensors are a crucial part of how modern services are delivered. If they fail, the impact isn’t just technical. Customers are affected, revenue is disrupted and trust is damaged. And the fine is often the smallest part of the bill. The real cost compounds through downtime, reputational damages, and increasingly, exclusion from procurement frameworks that now assess a supplier’s security posture before the contract conversations even starts. The priority for all organisations must be better visibility. They need to know what’s connected, which devices are critical, what normal behaviour looks like and where supplier dependencies could create blind spots. AI has a role to play here too, helping teams spot abnormal patterns early and prioritise what needs attention before disruption spreads.
“With regulations like the UK Cyber Security and Resilience Bill and the EU’s upcoming Cyber Resilience Act pushing even more accountability to any organisation manufacturing or selling connected devices, security cannot stop at the design stage of the device or launch. Instead, it must span across the whole lifecycle. Engineering and product teams must plan for all obligations they are responsible for – vulnerability management, firmware updates, patch deployment, breach disclosure, incident response, none of which are one-time activities. As a result, organisations really can’t afford to treat device security as someone else’s problem. While Cyber Essentials and early warning tools are sensible foundations, real resilience comes from the ability to act quickly whenever something changes.”





