Cyber Essentials is the UK government's cybersecurity certification scheme, developed by the NCSC (National Cyber Security Centre) and administered by IASME. Since 2014, it has been mandatory for all central government contractors handling sensitive data or personal information. In 2026, it is increasingly required in private sector supply chains — and the technical requirements have evolved to reflect today's threat landscape and working patterns.
The most significant recent updates to the scheme include: cloud services are now firmly in scope (since 2022), multi-factor authentication for cloud accounts is a hard requirement, and remote workers using home broadband connections must have properly configured firewalls. These changes mean that many businesses that achieved certification in previous years need to reassess their posture against the current requirements before their next renewal.
This guide covers everything: what CE and CE+ assess, the five technical controls in detail, common failure points, how to prepare systematically, and what the certification requires of cloud-first businesses in 2026.
What Is Cyber Essentials?
Cyber Essentials is an NCSC-developed, IASME-administered certification scheme that assesses organisations against five foundational cybersecurity controls. It was designed to address the most common attack vectors — phishing, ransomware, credential attacks, and exploitation of unpatched software — and represents the baseline of good cybersecurity hygiene.
The scheme operates at two levels, with meaningfully different assessment processes and levels of assurance.
Cyber Essentials Self-assessed
- Self-assessment questionnaire
- Reviewed and verified by a certification body
- No independent technical testing
- Approximately 2–4 weeks to complete
- £300–£500 for most SMEs
- Valid for 12 months
- Suitable for most supply chain requirements
Cyber Essentials Plus Independently verified
- All CE requirements, plus independent audit
- Auditor tests your systems to verify controls work
- Internal and external vulnerability scans
- Typically 4–8 weeks from start to certificate
- £1,500–£5,000 depending on scope
- Valid for 12 months
- Required for MoD and many NHS contracts
Both levels must be renewed annually. The renewal process requires a full reassessment — certification does not automatically carry forward. This is deliberate: the threat landscape changes, your environment changes, and the NCSC updates the technical requirements periodically to reflect new guidance.
Who Needs Cyber Essentials?
Mandatory: All UK central government contracts involving handling of sensitive information or personal data. This has been a contractual requirement since 2014 and is non-negotiable — without a current CE certificate, you cannot bid for or hold these contracts.
Expected across public sector supply chains: NHS procurement, Ministry of Defence supply chain (CE+ required for many MoD contracts), local authority contracts, and HMRC supply chain relationships all carry CE requirements either contractually or as evaluation criteria.
Increasingly required in private sector: Large enterprise customers are incorporating CE into their supplier due diligence processes. Financial services firms under FCA oversight, law firms handling personal data, and companies working with critical national infrastructure operators are increasingly mandating CE as a minimum.
Insurance: A growing number of cyber insurance policies offer premium discounts for CE-certified organisations. Some specialist cyber insurers now require CE as a condition of cover altogether. Given the significant increase in cyber insurance premiums since 2021, certification can deliver meaningful premium savings.
Recommended for all UK businesses: The ICO (Information Commissioner's Office) takes a favourable view of CE certification when assessing whether an organisation has implemented "appropriate technical measures" under GDPR Article 32. In the event of a breach investigation, a current CE certificate is meaningful evidence of good security practice.
The 5 Technical Controls in Detail (2026)
1. Firewalls
All internet-connected devices must be protected by a properly configured firewall. The key 2026 requirement is that this extends to remote workers: employees using home broadband routers are expected to have those routers configured with an appropriate firewall. Default router configurations from ISPs often meet this requirement, but the organisation must be able to confirm it. All unnecessary inbound ports must be blocked; default administrative passwords on firewalls and routers must be changed; and any remote management interfaces must be secured or disabled when not in use.
2. Secure Configuration
All devices and software must be configured securely at deployment and maintained in that state. This means: changing all default account credentials on all hardware and software; removing or disabling software and services that are not needed; disabling auto-run features that execute code automatically from removable media; restricting access to administrative tools and system configuration; and ensuring that devices have only the software installed that is needed for their role. Unnecessary software is attack surface — remove it.
3. User Access Control
The least privilege principle applies throughout: users have access only to the data and functions they need for their role, and nothing more. Specific 2026 requirements that catch organisations out: every cloud service in scope (Microsoft 365, Google Workspace, Salesforce, Xero, and any other cloud application processing business data) must have MFA enabled for all users — this is a hard requirement, not a recommendation. Separate administrator accounts must be used for administrative tasks; admins should not use their admin credentials for routine work such as email and browsing. Unused accounts must be disabled or removed.
4. Malware Protection
All devices in scope must run malware protection. In 2026, the NCSC guidance acknowledges three acceptable approaches: anti-malware software (traditional AV or modern EDR), application allow-listing (only approved software can run — appropriate for fixed-function devices), or sandboxing (executing untrusted code in an isolated environment). For most businesses, this means deploying a reputable EDR solution on all endpoints. Microsoft Defender for Endpoint (included in many M365 plans), CrowdStrike, SentinelOne, and Sophos Intercept X are all examples of CE-compliant solutions. Anti-malware must be kept up to date and its real-time protection must be enabled.
5. Patch Management (Security Updates)
All software, operating systems, and firmware on in-scope devices must be kept up to date. The specific requirements: all high and critical security patches must be applied within 14 days of release; any software or OS that is no longer receiving security updates (end-of-life) automatically places the device in the scope boundary, and if that device cannot be patched, it must be removed from scope or upgraded. This is an automatic failure: Windows 7, Windows XP, Windows Server 2008, Server 2012, and any other end-of-life operating system in scope will fail CE. There are no exceptions for "isolated" or "air-gapped" systems unless they have genuinely no internet connectivity whatsoever.
Common Failure Points and How to Avoid Them
The following issues account for the majority of CE and CE+ failures. Address all of them before submitting your assessment.
- Exposed RDP (Remote Desktop Protocol): If port 3389 is accessible from the internet, your assessment will fail. Remote Desktop must be protected behind a VPN or disabled entirely if not needed. This is one of the most actively exploited attack vectors in the UK — protecting it is not just a CE requirement but fundamental security hygiene.
- Legacy operating systems in scope: Windows 7, Windows XP, Windows Server 2008 R2, Windows Server 2012 — any end-of-life OS on an in-scope device is an automatic failure. Either upgrade the device or formally de-scope it by removing network connectivity entirely. "It's on a separate network" is not sufficient if it has any path to the internet.
- Admin accounts used for routine activities: If the account used to check email and browse the web also has domain admin rights, this fails the user access control requirement. Every administrator must have a separate, dedicated admin account used only for administrative tasks.
- Cloud services without MFA: Every cloud service in scope — Microsoft 365, Google Workspace, CRM, accounting software, file sharing platforms — must have MFA enabled for every user. A single cloud service with a single user who has not enrolled in MFA is a failure point. Audit your MFA enrolment status before assessment.
- End-of-life software: Applications that no longer receive security updates from their vendor fail the patch management requirement. This includes outdated versions of browsers, Java, Adobe Reader, and any bespoke application built on an unsupported framework. Update or remove before assessment.
Do not submit the assessment questionnaire until you have verified all five control areas. A failed assessment delays your certification, requires remediation time, and in some cases requires a second assessment fee. A pre-assessment gap review is almost always faster and cheaper overall.
How to Prepare: Step by Step
- Define your scope — determine which devices, systems and cloud services are in scope. The assessment can cover your entire organisation or a defined subset. However, any device or service that processes business data and connects to the internet is generally expected to be in scope.
- Conduct a gap audit against all five controls — systematically check your environment against each requirement. Pay particular attention to MFA enrolment status on cloud services and the end-of-life status of all operating systems and applications.
- Remediate identified gaps — prioritise by failure risk. MFA implementation across cloud services often takes the most time because it requires user communication, enrolment support, and testing of authentication flows. Allocate 2–4 weeks for MFA rollout if it is not already in place.
- Complete the self-assessment questionnaire — the questionnaire is submitted through an IASME-accredited certification body. Read each question carefully; the wording is precise. "All devices" means all devices, not most devices. If you are uncertain about any answer, seek clarification before submitting.
- For CE+: book the independent technical assessment — the auditor will conduct external vulnerability scanning, internal authenticated scanning, and endpoint verification. Prepare by reviewing your patch status reports, confirming MFA is enforced (not just available) on all cloud services, and ensuring all administrative accounts are properly separated.
- Plan for annual renewal — put the renewal date in your calendar the day you receive your certificate. Allow 6–8 weeks before expiry to begin the renewal process, particularly if your environment has changed significantly during the year.
Cyber Essentials vs ISO 27001: Which Do You Need?
These two frameworks are not in competition — they address different levels of security maturity and serve different purposes.
| Factor | Cyber Essentials | ISO 27001 |
|---|---|---|
| Focus | Five specific technical controls | Comprehensive ISMS — people, processes and technology |
| Effort | Weeks | 6–12 months |
| Cost (SME) | £300–£5,000 | £15,000–£50,000+ |
| Who requires it | Government contracts, NHS, MoD supply chain | Enterprise procurement, financial services, healthcare |
| NIS2 alignment | Partial | Comprehensive |
| Renewal | Annual | Annual surveillance audits; full recertification every 3 years |
The recommended progression for most UK SMEs is: achieve CE, maintain it annually, then pursue ISO 27001 when supply chain requirements or regulatory obligations make it necessary. For NIS2 obligations, see our guide to the NIS2 Directive for UK businesses.
Cyber Essentials is not the ceiling of good security practice — it is the floor. Organisations that treat CE certification as the end point rather than the starting point of their security journey are underestimating the sophistication of the threats they face in 2026.
Get Your Cyber Essentials Certification
Vertex9 provides end-to-end Cyber Essentials support: gap assessment, technical remediation, questionnaire guidance and project management through to certification. We also support CE+ audits and annual renewal. Start with a free gap assessment.
Cybersecurity Services Get a Free AssessmentFrequently Asked Questions
Does Cyber Essentials cover GDPR compliance?
Cyber Essentials addresses the technical security measures required under GDPR Article 32 — appropriate technical measures to protect personal data. However, it does not cover all GDPR obligations such as data protection policies, Data Protection Impact Assessments, lawful basis documentation, or breach notification procedures. CE is a useful component of GDPR compliance but not a complete substitute for it.
Do cloud services count as in scope for Cyber Essentials?
Yes — since 2022, cloud services that process business data are firmly in scope. This includes Microsoft 365, Google Workspace, CRM systems, accounting software, and any other cloud application used to store or process business or personal data. MFA must be enabled for all users on all in-scope cloud services; this is a hard requirement, not a recommendation.
What happens if we fail Cyber Essentials?
If you fail, you receive a detailed report explaining each failure point and the remediation steps required. You can reattempt the assessment once remediation is complete. Most organisations pass on their second attempt. The key is not to rush to assessment before your environment is ready — a pre-assessment gap analysis saves time overall and is almost always the faster path to certification.
Is Cyber Essentials the same as ISO 27001?
No — they are different in scope, depth and effort required. Cyber Essentials is a focused technical certification covering five specific control areas, typically completed within weeks. ISO 27001 is a comprehensive information security management system covering organisational processes, risk management, governance and technical controls — typically taking 6–12 months to implement. Many organisations pursue CE first, then ISO 27001 as their security maturity develops.
How does Vertex9 help with Cyber Essentials?
Vertex9 provides end-to-end Cyber Essentials support: a gap assessment against all five controls, technical remediation of identified issues (MFA implementation, patch management, firewall configuration), guidance through the self-assessment questionnaire, and project management through to certification. We also support CE+ technical audits and annual renewal programmes.