NCSC's Cyber Essentials Pathways Pilot Wasn't Built for SMEs — But Two of Its Findings Are
Pathways is designed for large, complex organisations whose architecture doesn't fit neatly into the standard Cyber Essentials Plus mould. If you run an SME or a broker's office, that route isn't yours. Two things buried in NCSC's retrospective on the pilot are, though.
Franco Pietrantonio·Principal Consultant, GET-IT Solutions Ltd10 JULY 2026
NCSC published a retrospective this week on the Cyber Essentials Pathways Proof of Concept — an 18-month programme run with 22 large organisations, IASME, and their Certification Bodies, testing whether firms with complex or legacy environments could demonstrate equivalent protection through alternative controls, rather than the standard prescriptive route to Cyber Essentials Plus.
If you're a 15-person insurance broker or a manufacturing SME, none of that changes your certification path. Pathways exists precisely because the standard model doesn't scale cleanly to sprawling, legacy-heavy enterprise estates — it isn't aimed at you, and NCSC is explicit that it comes with meaningfully higher cost and complexity than the standard route.
What's worth reading past the headline, though, is what NCSC learned along the way. Two findings in particular land somewhere much closer to home.
Finding One: Claiming Isn't Evidencing
NCSC's own summary of the pilot is blunt about this: assessing alternative controls isn't a simple mapping exercise. Organisations had to demonstrate, with evidence, that their approach met the intent behind a control — not simply assert that it did. Where the evidence didn't exist, assessors had to test for themselves.
That's a large-enterprise problem on paper. In practice, it's the same problem underwriters and brokers already wrestle with at SME scale every renewal season — a proposal form is, in effect, self-attestation. A business tells its insurer what its controls are, and in most cases nobody independently checks.
Where the parallel lands
NCSC's pilot found that consistency and trust only hold up when claims can be evidenced externally. That's the exact gap an external, passive Cyber Vitals assessment is built to close for SMEs — reading what's actually visible from outside the perimeter, rather than relying on what a form says.
Across GET-IT's own passive audits of UK SME and brokerage domains, the gap between claimed and observed posture shows up consistently. Two figures from that work make the point.
87.8%Domains lacking DMARC 'reject' enforcement
60.5%Strong front-end, exposed back-end
Neither of those is visible from a proposal form or an internal policy document. Both are visible, immediately, to an external passive scan — which is precisely the kind of independent evidence NCSC's pilot concluded was necessary once self-reported claims stopped being sufficient on their own.
Finding Two: The Patching Clock Is Already Ticking Faster
The second finding is more direct. NCSC states plainly that current AI capability is already being used by more sophisticated attackers, and that this is likely to accelerate the development of commodity attacks — the everyday, opportunistic kind that hit SMEs, not just headline targets. Their conclusion is that organisations need to prepare to patch quicker, more often, and at greater scale.
Many organisations continue to face challenges in meeting the 14-day patching requirement following a vendor's release, as mandated by Cyber Essentials.
NCSC — Cyber Essentials Pathways retrospective, July 2026
That 14-day patching window isn't a Pathways-specific requirement — it's a core control in the standard Cyber Essentials scheme that every SME certifying today is already assessed against. NCSC's own view, stated in the same piece, is that meeting it is already a struggle for many organisations, before AI-accelerated commodity attacks are properly factored in.
Put together, that's a fairly unambiguous signal: the baseline is not getting easier, and the evidence bar for demonstrating you meet it is rising, not falling. Neither of those trends is about enterprise architecture. Both are about whether an SME's actual security posture is what its paperwork says it is — and whether it can be shown to be current, not just claimed to be.
What This Means Practically
For SMEs and brokers, the useful takeaway from a pilot that wasn't designed with them in mind is this: an external, evidence-based view of your own posture — the kind that shows what's patched, what's exposed, and what a proposal form doesn't ask about — is worth having before a renewal, an audit, or a Cyber Essentials assessment forces the question.
Source: NCSC, Cyber Essentials Pathways: from proof of concept to cyber confidence, published 9 July 2026. GET-IT's Cyber Vitals passive assessment tool is available at get-it.uk/check-your-exposure — no login required.