Last Updated May 2026
Cyber threats are now a reality for organisations of all sizes. Small and medium-sized businesses are increasingly targeted, often because they lack the security controls needed to prevent common forms of attack.
According to the UK Government Cyber Security Breaches Survey, a significant proportion of UK organisations report cyber incidents each year. These attacks can result in operational disruption, financial loss, and reputational damage, making cybersecurity a critical business concern, rather than just an IT issue.
The Cyber Essentials Certification aims to prevent these attacks and minimise the damage in the event of a security breach.
In this article, you will learn:
Cyber Essentials is a UK government-backed cybersecurity certification, developed by the National Cyber Security Centre (NCSC) and delivered by the IASME Consortium. It is designed to help organisations implement a baseline level of security that protects against the most common cyber threats.
The scheme focuses on a set of fundamental security practices that, when properly implemented, can significantly reduce an organisation’s exposure to cyber risk. Rather than introducing complex or resource-intensive requirements, Cyber Essentials provides a clear, structured framework that organisations can follow to strengthen their security posture.
There are two tiers to the Cyber Essentials certification. It's important to know the difference between the two Cyber Essentials certifications as it can help you decide which certification is best for your organisation.
The controls for both certifications are the same. The difference between Cyber Essentials and Cyber Essentials plus, is how the assessment is undertaken.
You can learn more about Cyber Essentials and Cyber Essentials Plus in our Ultimate Guide.
At the core of the Cyber Essentials certification are five key technical controls:
Cyber Essentials requires all devices that are connected to the internet to be protected with a firewall. This controls incoming and outgoing network traffic and prevents unauthorised access to networks and business systems.
Cyber Essentials requires systems to be set up securely and unnecessary features or default settings are removed, where possible.
UAC limits access to systems and data based on roles and responsibilities, ideally on a basis of least privilege principle, ensuring that users only have access to what they need to fulfil their role.
Malware protection and antivirus systems detect and prevent malicious software from compromising business systems.
Regular updates and patch management ensure that software and devices are kept up to date and protected against a growing list of known vulnerabilities.
With these controls in place, organisations can establish a strong foundation for cybersecurity, reducing the likelihood of successful attacks and improving overall resilience.
To achieve and maintain Cyber Essentials compliance, businesses must be able to prove that these controls are in place and implemented correctly. CE Licenses are renewed on an annual basis – so controls must be maintained and updated regularly to stay compliant.
The Cyber Essentials scheme is given annual updates to keep it aligned to modern IT systems. All changes are introduced through the “Cyber Essentials Requirements for IT Infrastructure” document - the core technical specification that defines the scope, controls, and assessment criteria of the Cyber Essentials and Cyber Essentials Plus certifications.
Updates generally clarify requirements, reduce ambiguity, and strengthen controls; this helps the certification adapt to evolving threats and accommodate technologies. The last 5 years have seen some significant changes to how its certified.
Here is a summary of the main additions over the last 5 years.
2021 and 2022’s updates aimed to improve clarity, accessibility, and the core controls, making the standard clearer and easier to adopt, while reinforcing the fundamentals.
2023’s updates focused on clarifying the scheme’s scope and expectations and aimed to align the standard with how organisations actually operate.
2024 introduced refinement rather than major change and focused on improving usability and consistency.
2025 was effectively a transition year. Following 2023’s updates and 2024 refinements, Cyber Essentials was aligned to most IT environments.
2025’s Cyber Essentials 3.2 update, nicknamed “Willow” saw mostly changes to definitions and adjustments to some questions. This included:
Upcoming updates in 2026 would add additional requirements and modernisations to strengthen and adapt the scheme to modern systems and evolving technology.
Cyber Essentials v3.3, Nicknamed “Danzell”, introduced tighter controls and clearer expectations, particularly in areas commonly exploited by attackers. It aimed to strengthen enforcement and accountability, and ensure that controls are consistently applied across organisations.
Click here for an in-depth look at the changes Danzell introduced.
Over the last five years, updates to the Cyber Essentials certification have focused on improving clarity and reducing ambiguity, aligning requirements with modern IT environments (cloud, BYOD, distributed working), and strengthening enforcement of key controls, particularly around MFA and patching.
Despite being government-backed, the Cyber Essentials scheme has seen relatively low adoption across UK businesses.
In 2024, only ~31,000 UK companies were Cyber Essentials certified. The number of businesses adopting cyber essentials has remained stagnant; the NCSC’s latest figures from May 2025 indicated around 35,000 organisations were certified.
That means fewer than ~3% of UK businesses have verifiably implemented the controls set out by CE. This gap could leave millions of UK organisations vulnerable to ransomware, phishing, data breaches, and supply chain attacks.
It’s clear that awareness remains a major hurdle, and many SMEs and even mid-sized firms aren’t aware of Cyber Essentials. Government survey data collected in 2025 indicates that only around 1 in 10 businesses (12%) and Charities (15%) knew of the scheme, with the smallest organisations being the least informed.
Figure 1. Percentage of businesses over time aware of government guidance, initiatives, or communication campaigns (UK Government Cyber Breaches Survey, 2025)
Cyber Essentials compliance is recommended for all small and medium sized organisations. It is legally required to win government supplier contracts with the MOD, NHS and some other public sector branches that involve handling sensitive data.
The controls covered by the certification are essential – and should be mandatory - for all sectors handling sensitive data, to ensure this data is protected from breaches. These sectors include:
A successful attack on any of these could impact thousands of UK citizens and cost £millions in damage, along with significant reputational harm and regulatory consequences for the organisations involved.
These sectors are also among the most targeted by cybercriminals. Charities, in particular, are sitting ducks; despite experiencing more attacks than any other similar sized organisation, Cyber Essentials compliance rates among charities remain lower than the national average.
Cyber Essentials has a tiered pricing structure that increases slightly based on an organisation’s size and complexity.
Cyber Essentials Assessment for Micro Businesses (0-9 employees) starts from £320 + VAT. Small (10-49 employees), medium (50-249 employees) and large (250+ employees) organisations pay more, up to a maximum of £600 + VAT.
An accredited certification body like Cyber Tec can provide guided packages and managed step-by-step support to help you understand the controls and ensure you pass on your first attempt smoothly.
Cyber Essentials helps organisations defend against cyber threats by ensuring the five core controls are in place.
Making this certification mandatory for high-risk sectors would:
In addition to certification, businesses should be encouraged to maintain monthly cybersecurity compliance. Whilst yearly recertification allows for compliance to be adapted to changing IT technology, recent years have seen significant changes to the Technology landscape - such as the use of AI and LLMs in the workplace - happen over much shorter periods of time.
Monthly compliance checks would ensure that systems stay protected against emerging threats, as security patches and updates would be applied consistently and more frequently. It would also help to keep compliance with cyber insurance policies ongoing and verifiable.
Low adoption and limited awareness suggest that more can be done to inform business owners, decision makers and stakeholders about Cyber Essentials and the importance of robust security controls.
Mandates alone are unlikely to drive adoption if organisations are not fully aware of the scheme or its benefits. Additional encouragement could come in the form of:
A nationwide awareness campaign would help increase engagement with the scheme and address common misconceptions around cybersecurity controls.
As a top third certification body, we can help you protect your business against cyber threats and boost client confidence with Cyber Essentials certification.
Our team will help you understand the requirements and provide you with expert guidance at every step of the journey, streamlining the certification process and helping your organisation to bolster its defences and demonstrate its commitment to cybersecurity.
Talk to our team today to get started.