Is the UK quietly turning cyber security from a compliance question into a procurement one?

The UK government announced this morning that it is asking major organisations to sign a new Cyber Resilience Pledge. The pledge, launched jointly by DSIT and the National Cyber Security Centre, asks organisations to make cyber security a board-level responsibility, sign up to the NCSC's Early Warning Service, and adopt Cyber Essentials across their supply chains.

For me, that final point is the interesting part.

The government is not trying to regulate every micro-small SME directly. It is trying to push baseline cyber standards into the economy through enterprise procurement. Large organisations are being encouraged to require evidence of basic cyber controls from suppliers, contractors and technology partners. The delivery mechanism is the procurement process rather than direct enforcement.

Most SMEs still tend to treat cyber security as an internal compliance topic. Increasingly, larger customers will not.

Large organisations probably won't try to run detailed technical assessments on every small supplier they work with. Instead, they'll want a standard way to check whether basic controls exist across large supplier bases.

That is why Cyber Essentials matters in this announcement. It is not being positioned as the highest form of cyber assurance. It is being used as a common baseline: government-backed, NCSC-designed, administered through IASME, and built around five technical controls intended to address common internet-based threats.

Other frameworks may answer the same customer concern. ISO 27001 can demonstrate a broader information security management system. SOC 2 may be more familiar to US software buyers. Defence, healthcare and financial services organisations may rely on sector-specific assurance requirements. But today's pledge names Cyber Essentials because it gives UK procurement teams a standardised minimum that they can ask for across suppliers without designing a separate review process for each one.

The scheme itself has also become more practical in scope over time. Last month's update tightened requirements around multi-factor authentication and brought cloud services properly into assessment scope. In practice, that means systems like Microsoft 365, Google Workspace, Slack and Notion can no longer sit outside the boundary of what is being assessed. The framework increasingly reflects how most SMEs actually operate.

Over the past eighteen months I have spent time signposting clients towards Cyber Essentials and related government-backed support programmes aimed at early-stage technology firms. Take-up has been mixed. The objections tend to follow familiar patterns.

Some are weaker than they first appear. I expect that "our customers aren't asking for it" will become less convincing once these customers are actively embedding cyber requirements into their supply chains. "We already have cyber insurance" may also carry less weight if insurers demand baseline controls or certifications before renewal.

Other objections are more understandable. Earlier-stage micro-organisations are usually focused on product delivery and commercial traction, and governance work that does not yet feel commercially urgent often gets deferred. Outsourcing technical security is also common. But procurement questionnaires, supplier assurance reviews and renewal discussions will still land with the SME itself, even where security operations sit with a third party.

Some organisations genuinely sit outside the typical pattern. Businesses operating isolated or tightly controlled environments will have a different risk profile. Others already hold frameworks that answer the same procurement question through different mechanisms.

Most founder-led SMEs, though, are not really debating certification frameworks. They are still working from an older assumption: that cyber security mainly sits inside IT or compliance functions and can be dealt with later.

That assumption made more sense when cyber requirements were largely internal. If this announcement turns into the procurement reality the UK government appears to be aiming for, then the direction of pressure will change. Security questionnaires will appear earlier in sales conversations. Supplier onboarding processes will become more detailed. Enterprise customers will ask for evidence that previously never came up in commercial discussions. Procurement and risk teams will be part of renewal conversations they used to sit outside of.

Cyber Essentials itself is not new. What is changing is where the pressure to adopt it will come from. For many SMEs, the cyber question may now arrive through commercial pressure rather than regulatory.