Want to speak with sales?
Last week at CYBERUK 2026 in Glasgow, Security Minister Dan Jarvis announced a £90 million government investment in cyber resilience, formally launched the Cyber Resilience Pledge, and named Cyber Essentials as a central pillar of the government's response to the growing threat to UK businesses. This week, the Danzell question set comes into effect, introducing significant changes to how Cyber Essentials assessments are conducted.
The context behind the speech
The CYBERUK speech did not come out of nowhere. A month earlier, NCSC CEO Richard Horne had been making the same case at RSAC. In his keynote address, he described cyber defence in terms of near, mid, and far space. The near space, he said, is every organisation getting the basics right consistently across their networks and supply chains: "behaviours that we refer to as Cyber Essentials."
He put a number behind it: the UK recorded negative economic growth in October last year, which Horne linked in part to the downstream effects of a single cyber attack on a major manufacturer. One attack, one supply chain.
Jarvis's speech in Glasgow was, in some ways, the policy response to that diagnosis. The government's own Pledge Information Pack puts the average cost of a significant cyber attack at almost £195,000 per business, scaling to an estimated £14.7 billion annually across the UK economy. The full detail of how the £90 million investment will be allocated is expected when the National Cyber Action Plan is published later this summer.
The Pledge also does not arrive in a vacuum. Since April 2025, Procurement Policy Note 01/25 has made Cyber Essentials mandatory for all public sector suppliers bidding on contracts over £5 million. The Defence Cyber Certification scheme, which came into force in December 2025, requires CE as the baseline across all four certification levels for MOD suppliers. In healthcare, NHS Supply Chain requires Cyber Essentials Plus from suppliers handling NHS data or providing IT and digital services, under PPN 014. The Pledge builds on that existing architecture rather than starting from scratch.
What the Pledge actually commits organisations to
The Cyber Resilience Pledge went live on 22 April, the same day as the CYBERUK speech. It formalises a ministerial letter sent to FTSE 350 companies and other major organisations back in October 2025.
Signing organisations commit to three specific actions.
Make cyber a board responsibility. Implementing the Cyber Governance Code of Practice and ensuring all board members complete the NCSC's Cyber Governance Training within three months of signing, then annually.
Sign up to Early Warning. Registering for the NCSC's Early Warning service within one month. It is free, takes around five minutes to set up, and flags potentially suspicious activity on the organisation's network.
Require Cyber Essentials across supply chains. This is the one most directly relevant to anyone reading this. Signing organisations must register for the Cyber Essentials Supplier Check Tool within two months of signing, conduct a comprehensive audit of CE coverage across their entire supply chain, present those findings to the board, and take a risk-based approach to requiring CE from suppliers. The Pledge Pack is explicit that this may include requiring it from all suppliers, and that where it is not required, the board must ensure that decision aligns with their risk appetite and that assurance is obtained by other means.
Signatories also commit to publishing the signed declaration on their website and providing an annual public update on progress.
The Pledge is voluntary. But signing organisations are listed publicly, and the government has said it will seek opportunities to recognise those that implement the actions. The Pledge Pack also notes that where organisations have mandated Cyber Essentials from their third parties, they have seen up to an 80% reduction in cyber incidents. That is the commercial logic the government is leaning on to drive adoption.
*Worth noting: the Pledge does not require signing organisations to hold Cyber Essentials certification themselves, though the government encourages it. The specific focus of this action is on driving CE uptake through supply chains rather than requiring it of larger organisations directly.
The Pledge lands directly on MSP clients
The supply chain action in the Pledge is not abstract. When a major organisation commits to auditing CE coverage across its supplier base and presenting findings to its board, that audit lands on the SMEs and IT service providers in its supply chain. MSPs are the ones who will field the questions, and the commercial and regulatory pressure building behind that conversation is growing.
As our Founder, Jamie Akhtar, wrote recently, MSPs have moved well beyond traditional IT support. They are embedded operators inside the digital infrastructure of thousands of organisations, with privileged access that makes them a compelling upstream target. A single compromised MSP can cascade across an entire client base. That is not a theoretical risk.
The Cyber Security and Resilience Bill, currently progressing through Parliament, will bring an estimated 900-1,100 MSPs into regulatory scope: those with 50 or more employees and turnover exceeding €10 million. That means registering with the Information Commission (IC) (formerly the Information Commissioner’s Office, or ICO), maintaining appropriate security measures, and reporting incidents.
77% of MSP leaders globally already report increased scrutiny of their security credentials from customers and prospects, and that was before the Pledge existed. As major organisations take on these commitments and begin auditing their supply chains, that scrutiny is likely to increase further. Cyber Essentials is the most straightforward way to answer the question when it comes.
Frontier AI is making the basics more important, not less
Frontier AI refers to the most advanced AI systems currently available: models that can reason, write code, automate tasks, and assist with complex work including cyber operations.
In his CYBERUK 2026 keynote, Richard Horne said frontier AI is already enabling the discovery and exploitation of existing vulnerabilities at scale, exposing where cyber fundamentals are still missing: patching, legacy systems, and vulnerable code. In a separate NCSC post on AI and cyber defence, the NCSC made the Cyber Essentials point directly: AI will make it easier, faster, and cheaper to discover and exploit weaknesses, and government-backed certifications like Cyber Essentials give organisations confidence that critical disciplines are being practised.
For SMEs and MSPs, that brings the argument back to basics. MFA, patching, secure configuration, access control, and malware protection are not frontier controls. They are the controls that keep the front door shut. As AI makes weak points easier to find and exploit, Cyber Essentials becomes more important, not less.
What Danzell actually changed
The Danzell question set is now live. Glen Patrick, our Head of Cyber Audit, has written a full breakdown of every change. The short version: the five core controls are unchanged, but three conditions now result in automatic assessment failure where previously they did not.
MFA on cloud services. If MFA is available on a cloud service and has not been enabled, the assessment fails immediately. This applies whether MFA is free, included, or only available as a paid option. There is no partial credit for having it enabled on some services but not others.
Patching operating systems and firmware. High-risk or critical updates must be applied within 14 days of release. Missing this is now an automatic failure.
Patching applications. The same 14-day window applies to applications, including associated files and extensions.
Cyber Essentials Plus has been tightened too. Organisations can no longer pass an audit by remediating only the devices included in a sample. Fixes must be applied across the entire in-scope estate. The verified self-assessment also needs to be complete before CE Plus testing begins.
For the full picture, read our blog post or download our Danzell guide.
What to do with all of this
The NCSC handled over 200 nationally significant incidents last year, more than double the year before. Jarvis cited ransomware attacks on children's nurseries, compromised logistics systems, and a recent incident involving Jaguar Land Rover. The point he was making: this is not a future problem. It is here, and it moves through supply chains.
For MSPs, the immediate priority is getting ahead of the Danzell changes before the first renewal cycle surfaces them. Sweep MFA across all client cloud services now. Verify that patching processes meet the 14-day requirement across the full estate, not just the devices most likely to be sampled. If any clients are due for CE Plus, make sure the VSA is complete before the audit is booked. The preparation conversation needs to happen earlier than it used to.
On the Pledge: if your clients sit in regulated industries, public sector supply chains, or any organisation likely to be in scope of DSIT's outreach, start the CE conversation now. The opportunity is bigger than one-off supplier checks: large organisations will need supplier assurance as a programme, with visibility of CE and CE+ coverage, critical supplier mapping, and scaled support to uplift suppliers. CyberSmart works with MSPs to deliver that end-to-end at scale.
For SMEs, the position is fairly simple. Cyber Essentials is the most accessible way to demonstrate your security controls meet a recognised government standard. The declaration is already public on gov.uk. Any buyer that signs commits to auditing their supply chains for CE coverage.
As Jarvis put it directly: “basic cyber hygiene is no longer optional, but the baseline, the absolute minimum we should expect of any serious organisation operating in the modern economy.” The scheme now enforces that more rigorously than it did before.
How CyberSmart can help
As the UK's leading Cyber Essentials certification body, this is squarely what we do.
For MSPs, we support the full certification lifecycle: fast, supported CE and CE+ with unlimited resubmissions and expert guidance, Active Protect for year-round compliance monitoring between certifications, patch management to keep client estates inside the 14-day Danzell requirement, and CSVM for continuous vulnerability visibility. If clients are coming to you with Pledge-related questions about their supply chain, we can help you answer them.
For SMEs, getting certified with CyberSmart takes as little as 24 hours. The platform guides you through the assessment, an IASME-accredited auditor reviews it, and eligible organisations receive £25,000 free cyber insurance on certification.