UK Government’s Cyber Resilience Pledge Secures 60 Signatories, Including M&S and Capita
The UK Government’s new Cyber Resilience Pledge has been signed by 60 organizations, including M&S and Capita. Examining the participation and absences of affected companies.
On July 7, 2026, the UK Government unveiled its new “Cyber Resilience Pledge.” According to reports from The Register, 60 companies and organizations have already signed the pledge. Among them are Marks & Spencer (M&S), which suffered a major cyber incident last year, and Capita, a leading outsourcing firm previously fined for multiple data breaches.
This pledge, spearheaded by Technology Minister Liz Kendall, is a voluntary initiative. The signatory companies commit to three key actions: treating cybersecurity as a board-level responsibility, subscribing to the UK’s National Cyber Security Centre (NCSC) Early Warning Service, and encouraging their suppliers to obtain Cyber Essentials certification or an equivalent baseline.
In a statement, Kendall remarked, “Some of the UK’s largest companies are now taking action to strengthen their cyber defenses, setting a strong example for others to follow.” She warned of the potential for cyberattacks to disrupt services, expose customer data, and harm revenues. Additionally, she highlighted the growing sophistication and ease of execution of attacks due to advancements in AI.
M&S’s participation seems natural. The company was a victim of one of the UK’s most high-profile cyber incidents in 2025, and its absence from the pledge would have likely raised questions. Conversely, some other companies that have faced similar breaches have opted not to sign the pledge. Notably missing from the list are Co-op, Harrods, and Jaguar Land Rover (JLR). JLR, which struggled for weeks to recover from a cyberattack and later received £1.5 billion in government aid to mitigate supply chain impacts, is among the absentees. While the pledge is entirely voluntary, these omissions do not necessarily imply weaker security postures. However, given the government’s framing of the initiative as a hallmark of a “good cyber citizen,” it is reasonable to question why these companies chose not to embrace the badge.
Capita’s inclusion adds a layer of irony. Over the past several years, the company has amassed what The Register dubbed “an impressive archive of security incidents.” In 2025, Capita was fined by the Information Commissioner’s Office (ICO) for a ransomware attack in 2023 that exposed over 6 million records. Additionally, in early 2026, the company disclosed that its pension portal had exposed personal information of civil servants. Whether Capita’s participation signals a commitment to “continuous improvement” or reflects the government’s surprisingly lenient definition of cyber resilience remains unclear.
Since the pledge is voluntary, the list of signatories represents little more than a public declaration of commitment. However, the government’s message urging companies to elevate cybersecurity to a board-level agenda is unmistakable. Signing up for the NCSC’s Early Warning Service offers practical means for organizations to access threat intelligence swiftly and respond in the early stages of an attack. Furthermore, the requirement for suppliers to achieve Cyber Essentials certification aims to bolster security across entire supply chains.
Minister Kendall emphasized that “cyber resilience is no longer just an IT issue but a business imperative.” As cyberattacks grow more sophisticated due to AI advancements, the government views this pledge as a framework to encourage voluntary corporate action.
Editorial Opinion
In the short term, the pledge could increase visibility of board-level engagement in corporate cybersecurity. With 60 organizations signing on, it may be seen as more than just a press release and instead as a tangible “proof of commitment” in the marketplace. However, the inclusion of companies like Capita, which have faced significant security issues in the past, raises questions about the pledge’s credibility. It remains unclear how rigorously the government screened signatories or whether it prioritized “a willingness to improve.” In the coming months, scrutiny will focus on whether the signatories actively adopt the NCSC’s Early Warning Service and enforce Cyber Essentials certification among their suppliers.
From a long-term perspective, this voluntary pledge could pave the way for legal regulations. The UK Government has already introduced the Cyber Security and Resilience Bill to Parliament. Should voluntary participation fall short, pressure to mandate such measures will likely intensify. Additionally, it will be worth monitoring whether the pledge has a ripple effect across supply chains. If major corporations push their suppliers to obtain Cyber Essentials certification, it could lead to improved security practices among small and medium-sized businesses.
References
- Government’s cyber pledge lands 60 signatories, including M&S and, somehow, Capita - The Register — Published July 7, 2026
Frequently Asked Questions
- What is the Cyber Resilience Pledge?
- Announced by the UK Government in July 2026, the Cyber Resilience Pledge is a voluntary cybersecurity initiative. Signatory companies commit to addressing cybersecurity as a board-level responsibility, subscribing to the NCSC Early Warning Service, and encouraging suppliers to obtain Cyber Essentials certification.
- Why is Capita’s participation controversial?
- Capita has faced several major security incidents, including a 2023 ransomware attack that exposed over 6 million records and a 2026 disclosure of personal data exposure via its pension portal. These incidents, which resulted in ICO fines, have raised concerns about the government’s decision to include such a company in the pledge, potentially undermining its credibility.
- Are there any major companies missing from the signatory list?
- Yes, notable absentees include Co-op, Harrods, and Jaguar Land Rover (JLR). Despite JLR’s struggles with a cyberattack and subsequent government aid to mitigate supply chain impacts, it did not sign the pledge. However, since the initiative is voluntary, their absence does not necessarily indicate weaker security measures.
Comments