What Cyber Essentials actually is

Cyber Essentials is a UK Government-backed certification scheme developed by the National Cyber Security Centre (NCSC) and administered by the IASME Consortium. Launched in 2014, it sets out five fundamental technical controls that, when properly implemented, protect against the vast majority of common internet-based attacks.

It is not an audit of your entire security posture. It is a verified baseline — a way of demonstrating that the most exploited, most preventable vulnerabilities in your business have been addressed. Think of it as the MOT of cybersecurity: it does not guarantee nothing will ever go wrong, but it confirms that the fundamentals are in order.

92% fewer cyber insurance claims made by organisations with CE controls in place
55,995 Cyber Essentials certifications issued in the UK in 2025
43% of UK businesses experienced a cybersecurity breach or attack in 2025

Sources: GCA / NCSC; AMVIA citing DSIT Cyber Security Breaches Survey 2025

The five controls — in plain English

Cyber Essentials requires five technical controls to be in place and verifiably active. These are not complex enterprise measures — they are the fundamentals that most attacks exploit when they are absent.

01

Firewalls

A boundary firewall must be in place between your internet connection and your devices. This includes routers, and any software firewall on devices that connect to the internet directly. Default configurations that expose unnecessary services are a fail.

02

Secure configuration

Devices and software must be configured securely from the outset — default passwords changed, unnecessary software removed, and only the services you actually need left running. Factory settings on routers are one of the most common failure points.

03

Access control

User accounts should only have the access they genuinely need. Admin rights restricted to those who require them. Under v3.3, Multi-Factor Authentication (MFA) is mandatory on all cloud services — no exceptions and no workarounds.

04

Malware protection

Protection against malicious software must be in place on all in-scope devices. This can be achieved through application allowlisting, sandboxing, or signature-based malware scanning — the approach must be appropriate for the device type.

05

Patch management

Software and operating systems must be kept up to date. Under the current standard, critical and high-severity patches must be applied within 14 days of release. Any software that is no longer supported by its vendor — including Windows 10 after October 2025 — must be removed from scope or updated. This is one of the most commonly failed controls.

Cyber Essentials vs Cyber Essentials Plus

There are two levels of certification. Which one you need depends on what you are trying to achieve and who is asking for it.

Level 1

Cyber Essentials

A verified self-assessment. You answer a questionnaire about your controls, which is reviewed and verified by a certification body. No independent technical testing.

  • Right for most SMEs as a starting point
  • Satisfies most public sector supply chain requirements
  • Includes £25,000 free cyber liability insurance (under £20m turnover)
  • Typically completed in 2–4 weeks
  • Renewed annually
Level 2

Cyber Essentials Plus

Everything in CE, plus an independent technical audit of your systems by an assessor — verifying that the controls are genuinely in place, not just described.

  • Required for Ministry of Defence supply chain contracts
  • Required for NHS suppliers handling NHS data or IT services
  • Increasingly specified by large private sector clients
  • Carries significantly more weight in tenders and procurement
  • Prerequisite for CE must be completed first

Source: IASME Consortium — Cyber Essentials; AMVIA citing NCSC 2025 data

Who needs it — and why the answer is changing

Until recently, Cyber Essentials was largely seen as relevant to businesses bidding for government contracts. That picture has shifted considerably in the past 12 months.

Government suppliers

Mandatory for all public sector contracts involving personal data or IT services under Procurement Policy Note 014. Since April 2025, required for all public sector contracts over £5 million.

NHS and healthcare suppliers

NHS Supply Chain requires Cyber Essentials Plus from suppliers handling NHS data or providing digital services. This requirement cascades to subcontractors.

Defence sector suppliers

The Defence Cyber Certification scheme, which came into force in December 2025, requires CE as the baseline across all four certification levels in the supply chain.

Private sector supply chains

Large organisations are now being asked by government to audit CE coverage across their supplier base. If you supply a large business, expect to be asked for your certificate — if you haven't been already.

Insurance applicants

Cyber insurers increasingly use CE as a benchmark. Certified businesses receive better premium rates, fewer exclusions, and stronger cover. Some ransomware-specific policies now require CE as a condition.

Any business wanting a baseline

Even without a contractual requirement, the five controls address the vulnerabilities that account for the majority of successful attacks against UK SMEs. CE is the fastest credible way to implement and evidence them.

The supply chain pressure is accelerating. The UK Government's Cyber Resilience Pledge, launched in April 2026, commits large organisations to auditing CE coverage across their supplier bases and reporting findings at board level. As the NCSC put it directly: "basic cyber hygiene is no longer optional, but the baseline, the absolute minimum we should expect of any serious organisation operating in the modern economy." If you are in any supply chain, the question is not whether you will be asked — it is when.

Source: CyberSmart — Cyber Essentials Supply Chain Pledge, April 2026

What does certification cost?

Certification fees are set by IASME and vary by organisation size. As a guide for UK SMEs:

Certification is renewed annually. Many businesses also work with a consultant or Cyber Advisor to prepare — particularly for a first attempt, where a gap analysis avoids the cost and delay of a failed submission.

The free insurance benefit. UK organisations with an annual turnover under £20 million that achieve Cyber Essentials certification for their whole organisation automatically receive £25,000 of cyber liability insurance at no extra cost — including access to a 24-hour incident response helpline covering technical, legal, and crisis management support. For many SMEs, this alone offsets a significant portion of the certification cost.

Source: AIS Tech — Cyber Essentials Certification: The Complete 2026 Guide

Common reasons businesses fail first time

A failed submission delays certification by weeks and incurs re-assessment costs. These are the most common causes:

A pre-assessment gap analysis — working through each control against your actual current setup — prevents almost all of these. It also gives you a clear remediation list before any money is spent on the formal assessment.

Ready to get certified — or not sure where you stand?

GET-IT supports UK SMEs through the full Cyber Essentials process — from initial gap analysis and remediation through to submission and certification, with a first-time pass guarantee.

Not sure whether you need CE or CE Plus, or whether you are ready to submit? A free 30-minute readiness call costs nothing and answers both questions clearly.

Book a Free Readiness Call Send Us a Message

[ Remote. First-time pass guarantee. No jargon. ]

Related guidance

→ Do I need cyber insurance for my business? → How much does a cyber attack actually cost a small business? → Check your current exposure — free tools → GET-IT Cyber Essentials readiness service → Risk management and insurance readiness