Cyber attacks on UK businesses hit a record high in 2025/2026. According to the government’s Cyber Security Breaches Survey, 43% of UK businesses experienced a breach or attack in the past twelve months. If you’ve never come across Cyber Essentials before, it’s the UK government’s direct answer to that problem, and getting certified is simpler than most business owners expect.
What Is Cyber Essentials?
Cyber Essentials is a UK government-backed certification scheme, developed and overseen by the National Cyber Security Centre (NCSC). It sets out five technical controls every business should have in place to defend against the most common types of cyber attack. Think of it as a security baseline that proves to clients, partners, and insurers that your business has the fundamentals covered.
The scheme exists because most cyber attacks aren’t complex operations. They’re opportunistic. Attackers look for easy targets: businesses running unpatched software, using weak passwords, or operating without a proper firewall. Get those basics right and you stop the majority of attacks before they cause any damage.
Cyber Essentials vs Cyber Essentials Plus
Two certification levels exist, and knowing the difference matters before you decide which one to pursue.
Cyber Essentials is a self-assessment. Your business answers a structured questionnaire about your IT setup, security settings, and controls. An accredited IASME assessor reviews your answers, and if everything checks out, you’re certified. It’s reviewed remotely and costs less than the Plus level.
Cyber Essentials Plus goes a step further. All the same controls apply, but an assessor carries out a hands-on technical audit of your actual systems. They don’t just take your word for it. They test what you’ve claimed is in place. The Plus level provides stronger assurance and is often required for public sector work or when managing sensitive client data.
Most small businesses start with the standard certification. If you’re bidding for government contracts or working in a sector where data protection requirements are strict, Plus is worth discussing with your IT support provider.
The Five Controls You Need to Pass
The assessment covers five areas of your IT systems, each one addressing a different attack route.
Firewalls and internet gateways. Your network needs a properly configured firewall to act as a barrier between your devices and the internet, including firewalls on personal devices if they’re used for work.
Secure configuration. All software should be set up safely: default passwords changed, unnecessary features switched off, and systems configured to reduce the risk of attack.
User access control. Your staff should only have access to the data and systems their role requires. Admin accounts should be limited and properly protected.
Malware protection. Up-to-date antivirus or anti-malware software on all devices, or a demonstrable equivalent control.
Security update management. All software, firmware, and operating systems must be kept patched and up to date. Outdated software is one of the most frequently exploited entry points attackers use.
What Changed in April 2026
The scheme moved to version 3.3 in April 2026, and the changes catch businesses off guard when they’re not prepared.
Multi-factor authentication (MFA) is now an automatic fail point. Under the previous version, if a cloud service your business uses offers MFA and you hadn’t switched it on, you’d receive a warning but could still pass. That’s changed. Under v3.3, if MFA is available on any cloud service your business uses and you haven’t turned it on, your application fails. No exceptions and no workarounds.
The scope for BYOD (Bring Your Own Device) has also changed. If your staff use personal phones, tablets, or laptops to access company emails, files, or systems, those devices are now formally in scope. Businesses that previously tried to exclude personal devices from their submissions will find that harder under v3.3. Remote and hybrid workers are included too. Any device that connects to the internet and accesses company data is now in scope, regardless of ownership.
If your business adopted flexible working after 2020 and hasn’t reviewed its Cyber Essentials position since, checking where you stand is a sensible next step.
Who Needs Cyber Essentials Certification?
No UK law requires every business to hold Cyber Essentials, but there are clear situations where it becomes effectively essential.
Central government contracts that involve handling sensitive personal data or information security requirements make Cyber Essentials a condition of entry. Public sector procurement processes, NHS frameworks, and many housing association contracts carry the same requirement. Without a current certificate, your business simply won’t be considered.
Private sector supply chains are moving the same way. More large organisations now ask suppliers to demonstrate Cyber Essentials before engaging with them, particularly in construction, finance, and healthcare. Having the certificate removes a barrier to winning business. Pair that with UK IT Services’ cyber security services and your business presents a credible, verifiable security posture to anyone who asks.
Certification also comes with free cyber liability insurance worth up to £25,000 for UK businesses with annual turnover below £20 million. That’s a meaningful benefit included at no extra cost.
How Much Does Cyber Essentials Cost in 2026?
The IASME assessment fee for the standard certification depends on business size. Micro organisations with one to nine employees pay £330 plus VAT. Small businesses with ten to forty-nine employees pay £400 plus VAT.
Cyber Essentials Plus typically costs between £1,500 and £2,500 plus VAT for a small business once the technical audit is included. In the first year, once preparation and any remediation work are factored in, the total spend for a twenty-five-person business often falls between £1,800 and £3,500.
That’s a reasonable investment when you look at the alternative. The government’s Cyber Security Breaches Survey 2025/2026 found that the average cost of a cyber attack on a small UK business was £3,398. Getting certified costs roughly the same as recovering from a single attack, and it cuts your chances of having one sharply.
What Happens If You Fail?
It comes up in almost every first conversation about Cyber Essentials, yet most guides skip past it.
Failing the assessment doesn’t mean losing money or being penalised. It means your application can’t go forward until the gaps are addressed. The assessor will identify which controls aren’t being met, and your business has the opportunity to fix them before resubmitting.
The most common failure points in 2026 are MFA not enabled on cloud services, outdated software on one or more devices, personal devices used for work that aren’t enrolled in a device management system, and admin accounts with broader access than the role requires.
Most of these gaps are straightforward to address with the right managed IT support in place. An IT provider that knows the Cyber Essentials requirements can review your systems before you submit, identify any issues, and sort them so your application passes first time. That’s far more efficient than discovering problems during the formal assessment and starting again.
How Long Does the Process Take?
For a well-prepared business, standard Cyber Essentials certification from start to finish typically takes two to three weeks. The questionnaire takes a few hours to work through when you have a clear picture of your IT setup, and assessors generally respond within three working days of submission.
Preparation time varies depending on your current position. A business that already has MFA switched on, keeps software up to date, and manages access controls properly can move quickly. A business starting from a weaker position might need four to eight weeks to get the right controls in place before applying.
Working with an IT support provider that understands the Cyber Essentials framework can make the preparation stage considerably faster and less disruptive.
Frequently Asked Questions
Getting certified is one of the most straightforward cyber security decisions your business can make. Here are the questions that come up most often.
Is Cyber Essentials mandatory for UK businesses?
Cyber Essentials isn’t legally required for every business, but it is a condition of entry for most central government contracts that involve sensitive data. Many NHS frameworks, housing association contracts, and large private sector supply chains now require it too. If winning public sector work or bidding on regulated frameworks is part of your plans, certification is not optional.
Does Cyber Essentials certification expire?
Yes. The certificate lasts twelve months and must be renewed each year. The scheme is reviewed annually, so your renewal assessment will reflect any updates to the standard. If you hold a government contract that requires valid certification, letting it lapse may put you in breach of your contract terms.
Does Cyber Essentials cover remote workers and personal devices?
Under the v3.3 update that came into effect in April 2026, yes. Any device that accesses company data and connects to the internet is now in scope, including personal phones and laptops used for work. Businesses that previously excluded home-working devices from their submissions need to account for this under the current version.
Do I need Cyber Essentials Plus or will the standard certification do?
The standard certification is sufficient for most small businesses and for many government contract requirements. Cyber Essentials Plus is worth considering if your business handles sensitive data, bids for higher-value public sector work, or wants to demonstrate a more thorough level of assurance to clients and insurers. An IT support provider can advise which level fits your situation.
Will Cyber Essentials help me win government contracts?
For contracts involving sensitive personal data or information security requirements, it’s a condition of entry. Central government contracts, NHS procurement frameworks, and many public sector tenders won’t be awarded to suppliers without a current certificate. If growing your public sector pipeline is a priority, getting certified should be high on your list.
Can an IT provider handle the Cyber Essentials process for me?
Yes, and it’s usually the most efficient route. A good IT provider will check your systems against the five controls before you submit, fix any gaps, and guide you through the questionnaire. UK IT Services supports businesses through the full Cyber Essentials process, from the initial gap assessment through to successful certification.
Ready to Get Certified?
Cyber Essentials exists because the most common cyber attacks aren’t sophisticated. They work because businesses haven’t covered the basics. Getting certified gives your business a government-backed stamp of approval, opens doors to public sector contracts, and cuts your exposure to the attacks that affected 43% of UK businesses in the last twelve months. Speak to the team at UK IT Services today to find out where your business stands.