Fresh UK cyber figures arrive with a warning attached. On 12 May 2026, the Department for Science, Innovation and Technology said sector revenue rose 11% to £14.7 billion, the number of firms climbed 20% to 2,603, and employment reached about 69,600 full-time roles after another 2,300 jobs were added over the year. For Market Pulse UK readers, the point is not simply that cyber is a good growth story. It is that cyber spending has moved out of the IT budget and into the wider question of how a business keeps trading when systems, suppliers or customer data come under pressure. (gov.uk) That framing matters because ministers did not publish these numbers as a victory lap. They paired them with a fresh call for companies to raise their defences against AI-enabled attacks, making this as much a boardroom story as a tech one. (gov.uk)

The government’s answer, at least for now, is a voluntary Cyber Resilience Pledge. According to the official pledge guidance, organisations that sign are expected to do three things: make cyber a board responsibility, join the National Cyber Security Centre’s Early Warning service, and require Cyber Essentials across their supply chains. The pledge was announced on 22 April 2026 at CYBERUK in Glasgow and is due to be formally launched in summer 2026. (gov.uk) That may sound procedural, but the business meaning is straightforward. Directors are being asked to treat cyber in the same way they treat cashflow, insurance and operational continuity. For a retailer, that could mean checking whether a payments provider meets a recognised minimum standard. For a manufacturer, it could mean asking whether a software supplier can spot a breach early enough to stop production lines going down. Cyber Essentials, which government guidance describes as a baseline standard against common online threats, gives procurement teams something concrete to ask for rather than a vague promise of good security. (gov.uk)

The urgency is easy to see in the latest breach data. DSIT’s 2025/2026 Cyber Security Breaches Survey found that 43% of UK businesses reported a cyber breach or attack in the previous 12 months. Medium-sized firms were more likely to report one than micro or small companies, and large businesses were higher again at 69%. Meanwhile, the Cabinet Office said nationally significant incidents handled by the NCSC more than doubled in 2025. (gov.uk) AI is part of the reason ministers are shifting the tone. The AI Security Institute said Claude Mythos Preview became the first model it tested to complete a 32-step corporate network attack simulation end to end, and that an early checkpoint of OpenAI’s GPT-5.5 became the second model to reach a similar level in controlled evaluations. Those are research settings rather than ordinary public use cases, but the direction of travel is hard to miss: tools are improving, and attackers need less time and less skill than before. (aisi.gov.uk)

This is why the NCSC’s Early Warning service deserves more attention than it usually gets in policy announcements. The service is free, open to UK organisations and sends notifications about malicious activity tied to an organisation’s IP addresses and domains; the NCSC says it delivers about 2,000 alerts a month. For an SME without a large in-house security team, that is less about buying another tool and more about getting extra time to act before a problem turns into a business interruption. (ncsc.gov.uk) There is a similar logic behind pushing Cyber Essentials into supply chains. A single weak supplier can become the easiest route into a larger firm. Requiring a government-backed standard does not remove that risk, but it does set a clearer minimum for third parties and gives boards a simple test when they review supplier risk. (gov.uk)

Alongside the voluntary pledge sits a harder policy track. The government said in April that £90 million will be invested over the next three years to strengthen cyber resilience, including for small and medium-sized businesses. Separately, the Cyber Security and Resilience Bill, first introduced to Parliament on 12 November 2025, is continuing its passage and is intended to widen the rules around essential services, managed service providers and data centres. (gov.uk) That matters well beyond the tech sector. Official factsheets say 28% of UK businesses, and 62% of large businesses, rely on data centre services. The same set of reforms would also widen incident reporting so regulators and the NCSC hear more quickly about ransomware and other serious breaches. In plain terms, the state is moving from broad encouragement towards firmer expectations in the parts of the economy where an outage can spread fast. (gov.uk)

There is also a clear commercial story here. DSIT’s sectoral analysis estimates that 111 firms in the UK now offer cyber security products or services for AI, up 68% from 66 a year earlier. The same report says the strongest product areas include AI and machine-learning model security, AI security advisory work and runtime or infrastructure protection. For investors, founders and employers, that looks less like a niche and more like a segment moving into its build-out phase. (gov.uk) The wider sector is still drawing capital, although not at the pace seen in easier money years. DSIT’s report says dedicated cyber firms raised £184 million across 47 deals in 2025, while also noting that external investment into private firms has been weaker across sectors since interest rates rose. That mix of growth and restraint feels familiar: demand is solid, but buyers and backers want clearer proof that products solve an immediate problem. (gov.uk)

The government would plainly like this story to land in two places at once: Britain as a growing cyber market, and British businesses as more disciplined cyber buyers. The official figures support the first half. Whether the second half follows will depend on what happens after the pledge leaves the press release and meets real procurement teams, overstretched IT staff and directors who still see cyber as something to discuss only after an incident. This is an inference based on the government data and policy documents, rather than a direct claim from those sources. (gov.uk) For firms reading the announcement today, the practical message is fairly blunt. If cyber still sits only with the IT manager, the company is already behind. If it sits with the board, the supplier list and the incident plan, there is at least a real chance of staying operational when the next attack lands. That, more than the headline growth number, is the business takeaway from the government’s 12 May 2026 push. This final judgement is an inference drawn from the NCSC, DSIT and AISI material. (gov.uk)