UK Commits £90m to Cybersecurity and Calls for New ‘Resilience Pledge’

The UK government has unveiled a £90m ($120m) injection into UK cybersecurity funding, aimed at bolstering the nation’s defenses against rising digital threats. Announced at the National Cyber Security Centre (NCSC) CYBERUK conference on April 22, Security Minister Dan Jarvis emphasized that the funds would primarily support small and medium-sized enterprises (SMEs). Alongside the financial commitment, Jarvis urged major organizations to sign a new Cyber Resilience Pledge, set to launch this summer.

Why This UK Cybersecurity Funding Matters for SMEs

SMEs often lack the resources to defend against sophisticated cyberattacks. This £90m package aims to help them adopt the Cyber Essentials standard, a government-backed certification that protects against common threats. According to NCSC data, quarterly certifications surpassed 10,000 for the first time last summer. Jonathan Ellison, NCSC Director for National Resilience, noted that uptake grew by 20% in the last financial year—the program’s best performance yet. However, he acknowledged that more work is needed to reach smaller businesses.

This investment is a step in the right direction, but critics argue it’s insufficient. James Neilson, SVP of International at OPSWAT, called the funding “nice on paper” but “nowhere near enough” to address the scale of the problem. He pointed out that many SMEs have no dedicated security teams, making it not just a funding issue but a knowledge gap. Trevor Dearing, director of critical infrastructure at Illumio, echoed this, saying businesses need “practical guidance on how to protect sensitive data and keep critical services running when incidents occur.”

What Is the Cyber Resilience Pledge?

The cyber resilience pledge is a voluntary commitment for large organizations to take three concrete actions: make cybersecurity a board-level responsibility, sign up to the NCSC’s free Early Warning service, and require Cyber Essentials certification across their supply chains. This initiative aims to create a ripple effect, encouraging better practices throughout the ecosystem. However, some experts question whether voluntary pledges will drive real change.

Board-Level Responsibility: A Key Requirement

Making cybersecurity a board-level issue ensures leadership accountability. This aligns with global trends where regulators increasingly hold executives responsible for breaches. By signing the pledge, organizations signal that cyber resilience is a strategic priority, not just an IT concern.

Supply Chain Security Through Cyber Essentials

Requiring Cyber Essentials certification from suppliers helps close vulnerabilities in the supply chain. This is particularly important given that many attacks target smaller vendors to gain access to larger networks. The NCSC’s Early Warning service, meanwhile, provides free threat alerts, helping organizations respond faster to incidents.

Critics Call for Stronger Incentives, Not Just Advice

While the government’s approach is welcomed, industry voices argue it relies too heavily on gentle encouragement. Jonathan Lee, Director of Cyber Strategy at TrendAI, told Infosecurity at CYBERUK: “The government and the NCSC are saying the right things, but we have to move from this position of gently encouraging organizations to providing some incentive.” He suggested exploring tax credits for businesses that invest in resilience, noting that “if we can incentivize people to do that, that would be a good thing.”

Currently, UK businesses developing innovative cybersecurity solutions can claim Research and Development (R&D) tax relief to reduce Corporation Tax or receive cash payments. However, this scheme is limited to tech developers, not the broader SME base that needs support. As James Neilson pointed out, “SMEs either have small security teams or none at all, so it’s not just a funding issue but also a knowledge issue.”

What’s Next for UK Cybersecurity Funding?

The £90m investment and the Resilience Pledge represent a dual strategy: immediate financial aid for SMEs and a long-term cultural shift for larger organizations. Yet, as the debate over incentives continues, the government may need to revisit its approach. For now, businesses should explore Cyber Essentials certification and consider joining the NCSC’s Early Warning service to strengthen their defenses.

In a landscape where cyber threats evolve daily, the UK’s commitment is a positive step—but whether it’s enough remains to be seen. As Jonathan Lee put it, “We’re told it’s a team sport and everyone needs to work together.” The question is whether the government’s playbook will inspire the whole team to act.