Updated April 2026

Key takeaways_

• Cyber Essentials is a government-backed scheme to help organisations protect themselves against growing cyber threats
• It is often seen as a strong marker of compliance, making it highly desirable within the supply chain
• Recent changes in April 2026 have changed the criteria, making it even more crucial against modern risk

As businesses expand onto more digital channels, whether it be to serve customers or improve internal efficiencies, the risk of cyber attacks increases. A report from this summer suggests cyber crime has risen 30% year-on-year in 2024 alone.

With cyber attacks becoming more frequent – and likely to continue to do so – security is now a pressing concern. Every business, large or small, can be susceptible to the dangers.

However, the cyber security landscape is a tricky one for many businesses to navigate. Very few organisations have internal security experts, leading to a knowledge gap that leaves them vulnerable.

Cyber Essentials is a framework designed to help businesses get the basic provisions required to protect themselves and their customers, with proven accreditation. It ensures you have the basics you need to protect yourself, even if you don’t have a dedicated cyber security team.

In this blog, we explore exactly what Cyber Essential is and how it can help your business tackle cyber risk.

So, what is Cyber Essentials?

Cyber Essentials is a UK government-backed scheme designed to help organisations protect themselves from common cyber threats. It’s supported by the National Cyber Security Centre (NCSC), the UK’s national authority on cyber security. It focuses on implementing a set of basic, preventative security controls that can significantly reduce the risk of successful cyber attacks.

There are five security controls the scheme follows:

1. Boundary firewalls: Protect your network by using firewalls to control inbound and outbound traffic and minimise dangerous traffic.
2. Secure configuration: Ensure that your devices and software are configured securely to minimise vulnerabilities.
3. User access control: Implement strong access controls (specifically multi-factor authentication) to protect sensitive data and systems against unauthorised users.
4. Malware protection: Protect your devices from malware by using up-to-date antivirus and antimalware software.
5. Patch management: Keep operating systems, applications and network devices updated, applying critical and high‑risk security patches within required timeframes

Cyber Essentials was designed to be easy to understand and implement, even for small organisations. The scheme is also widely recognised, so can be a symbol of trust.

Cyber Essentials changes in 2026_

In April 2026, updates were made to how Cyber Essentials is assessed and enforced. The five core controls have stayed the same, but the scheme is now applied more strictly. In practice, this removes grey areas and expects organisations to show controls are consistently enforced, not just documented. These changes include:

Multi‑Factor Authentication is now mandatory everywhere. If a system supports MFA, it must be enabled for all users, not just admins. This includes email, cloud services and remote access tools. If MFA is available but switched off, the assessment will fail.

Stricter enforcement of patching requirements. The requirement to apply critical and high‑risk security updates promptly has not changed. What has changed is the consequence. Failing to meet patching requirements can now result in an automatic fail, stricter independent verification at Cyber Essentials Plus (including additional vulnerability testing) and an increased risk of certificate revocation.

Greater scrutiny of cloud services. Cloud services have been in scope for several years, but assessments now place greater emphasis on how they are secured in practice. Services such as Microsoft 365, CRMs and finance systems must clearly demonstrate appropriate access controls, MFA enforcement and secure configuration.

Less flexibility, more pass/fail outcomes. The updated scheme introduces more automatic fail conditions and tighter independent verification. Controls that only work “some of the time” or rely on manual checks are far more likely to cause issues.

In short, while Cyber Essentials hasn’t become more complex, it has become more demanding. Organisations now need confidence that MFA is enforced, updates are applied consistently and cloud services are securely configured as part of day‑to‑day operations. Getting it right matters more than ever.’

Why is it a good idea to have a Cyber Essentials accreditation?

There are many benefits for a business that gains Cyber Essentials accreditation.

Most obviously, it’ll enhance your security posture and decrease the risk of successful cyber attacks impacting your business. By implementing the five core controls, businesses can significantly reduce their vulnerability to common cyber threats, which can minimise financial losses, reputational damage and operational disruption.

It makes it easier to implement a robust approach to cyber security that you can manage and maintain long-term. This provides optimal protection of your valuable assets, while also driving resilience.

In some cases, Cyber Essentials can even grant you discounted insurance premiums for greater cost savings. Research from insurers also shows that organisations implementing the Cyber Essentials controls are 92% less likely to make a claim on their cyber insurance.

As Cyber Essentials is so widely recognised, having it can also increase your customer and supplier trust. It demonstrates a commitment to cyber security, reassuring clients and partners that your organisation takes data protection seriously. This can also help you to win more opportunities, especially if cyber security is a key criterion.

Similarly, Cyber Essentials can also improve your brand reputation among customers and make them feel safer when buying from you.

Finally, Cyber Essentials will help you to meet regulations. In certain industries, Cyber Essentials certification may be a requirement to meet regulatory compliance standards. It will also progress you towards more general standards, such as GDPR best practice.

What about Cyber Essentials Plus?

Alongside Cyber Essentials, there is an advanced option known as Cyber Essentials Plus. It is based on the same principles and technical controls as Cyber Essentials. The difference is that compliance is independently verified through technical testing, rather than self‑assessment.

How do you get Cyber Essentials accreditation?

Cyber Essentials is designed to be achievable for any business. There are the core criteria you’ll need to meet to get your certificate.

But before that, you’ll need to purchase the Cyber Essentials scheme from an accredited Certification Body like IASME or IT Governance. Then, it’s time to follow the below steps:

1. Self-assessment questionnaire_

The first step of getting your certificate is getting most of the questions right on your Cyber Essentials questionnaire. This questionnaire assesses your organisation’s adherence to the five core controls of Cyber Essentials, covered by different sections.

Once completed, you submit the questionnaire to the Certification Body for review.

2. Technical validation (for Cyber Essentials Plus)_

If you’re pursuing Cyber Essentials Plus, you’ll need to undergo a technical validation process, which involves a more in-depth assessment of your security controls. This may include vulnerability scanning, penetration testing and on-site audits.

This requires independent verification by an IASME‑accredited assessor.

3. Certification_

If your self-assessment or technical validation is successful, you’ll be awarded the relevant certification.

The Certification Body will issue you an official certificate, which you can use to demonstrate your commitment to cyber security. The certificate lasts for 12 months, at which point you’ll need to recertify, following the steps above once more.

You can find out more about the process with our FAQs.

How to prepare for your assessment_

In order to pass the criteria above, you need to spend time implementing the controls into your business. Cyber Essentials will provide information to help you do this, but you still need the available resource and knowledge to apply them effectively.

If you don’t have this resource, it can make accreditation more difficult to achieve. This is why many businesses choose to work with a partner to support them through the accreditation.

This partner can work with you to get the appropriate controls into place, as well as conduct audits ahead of your assessment to find any issues that may lead to a fail. This will leave you with a detailed report of things to improve.

This will get you into shape to achieve the certification while reducing the burden on your business, especially if you don’t have dedicated security professionals or a significant IT team.

Getting started with Cyber Essentials_

Cyber Essentials is straightforward, once you know exactly what you need to implement. However, if you’re new to cyber security and the scheme, it can be hard to know where to start.

We’ve created a Cyber Essentials checklist to tell you everything you need to have in place.