Cyber resilience is now a supply chain issue: what UK businesses and FM teams need to do now

What has happened?

The UK government is urging organisations to sign a new Cyber Resilience Pledge. The pledge is aimed mainly at medium and large organisations and asks them to do three practical things: make cyber security a board level issue, join the NCSC’s free Early Warning Service, and require Cyber Essentials certification across their supply chains. The move comes at a time when ministers are warning that AI is increasing the speed and scale of cyber threats.

This matters because cyber security is no longer being presented as just an IT problem. The government is framing it as part of economic resilience, service continuity and customer protection. ITPro reports that ministers have already written directly to major businesses, and that the wider policy direction also includes the Cyber Security and Resilience Bill moving through Parliament.

Why this matters for FM and operations

For TPMG FM audiences, the real issue is not only office laptops or email accounts. Modern workplaces and estates increasingly rely on connected systems such as CCTV, access control, building controls, visitor tools, contractor platforms and cloud based operational software. When the government starts talking about cyber resilience across supply chains, that becomes a facilities issue too. This is a practical inference from the government’s focus on supply chain Cyber Essentials and board level resilience.

It also matters commercially. Cyber Essentials is already treated as a baseline in some public sector work involving sensitive data, and the new pledge pushes businesses to extend that baseline deeper into their supplier networks. For FM, that means buyers may increasingly ask not only whether your own systems are secure, but whether the apps, devices, subcontractors and connected services around your operation are secure too.

What this means for different organisations

Small businesses

For smaller businesses, this is a warning not to assume cyber resilience is “for larger firms only”. If you rely on cloud tools, mobile devices, shared contractor logins, visitor systems or outsourced support, you are already part of someone else’s supply chain.

A practical first step is to review your core systems, check whether Cyber Essentials is expected by clients, and make sure basic controls are actually in place. That is a practical action based on the government’s stated direction of travel.

Medium and large organisations

For medium and large organisations, this story is more direct. The pledge is aimed at you. The question is no longer just whether cyber security sits with the IT team.

It is whether leadership, procurement and operations are aligned. If your buildings depend on connected systems and outsourced services, then cyber resilience now needs to be treated as part of operational governance.

Multinationals

For multinational operators, this sits inside wider resilience, governance and ESG style risk management. UK expectations are moving toward stronger supplier assurance, earlier warning and clearer accountability.

That means UK sites and suppliers may need to align with tighter resilience standards than before. This is a practical inference from the pledge and the linked legislative direction.

Public sector buyers

For public sector buyers, this is especially relevant because Cyber Essentials is already a known assurance route in government related procurement, and the government is now explicitly pushing stronger supply chain resilience.

Buyers should expect more scrutiny of who has access to building systems, how suppliers are controlled, and whether operational technology is being treated seriously.

Contractors

For contractors, this means cyber risk is no longer separate from service delivery. If you use apps, access systems, client portals, cloud storage or connected equipment, then your working method becomes part of the client’s resilience picture.

Contractors who can show control, patching discipline, account security and clearer supplier processes will look stronger than those relying on trust alone. That is a practical interpretation of the pledge’s supply chain emphasis.

What to check now

Start with five practical checks.

1. Do you know which building and operational systems depend on cloud access or connected devices?
2. Are key suppliers and subcontractors working to a recognised cyber baseline such as Cyber Essentials where appropriate?
3. Could leadership explain who owns cyber risk across operations, not just in IT?
4. If a connected building system failed because of a cyber issue, would your site still operate safely?
5. Could you show a buyer or client that cyber resilience is built into supplier selection and service control?

These are practical control questions based on the new pledge’s focus on board ownership, early warning and supply chain assurance.

Where TPMG FM fits in 

This is exactly the kind of issue that shows why modern FM is not just physical. It is operational, digital and supplier-led too. TPMG FM can help clients think more clearly about how contractor controls, connected systems, reporting lines and service resilience fit together in the real world.

In a more connected estate, resilience is no longer just about maintenance. It is also about trust, access and control. This is a practical inference from the sources above.

If your organisation is reviewing supplier controls, public sector readiness or the resilience of connected operational systems, TPMG FM can help you build a more controlled, better governed and more future ready service model.