What is Cyber Essentials?
**Cyber Essentials** is a UK government-backed cybersecurity certification scheme run by the National Cyber Security Centre (NCSC). It sets a baseline of five technical controls designed to protect organisations against the most common cyber attacks.
There are two tiers:
Both are valid for 12 months and must be renewed annually.
Why it matters in 2026
Government contracts
Since 2014, Cyber Essentials has been mandatory for all UK government contracts involving sensitive or personal data. The scope has gradually expanded — by 2026, most central government procurement frameworks, NHS supplier requirements, and many local authority contracts require at least Cyber Essentials.
If your business supplies public sector organisations, or wants to, certification is effectively non-optional.
Cyber insurance
An increasing number of UK cyber insurance providers now require Cyber Essentials (or equivalent controls) as a condition of cover, or offer premium reductions for certified organisations. NCSC data suggests certified organisations file 80% fewer claims.
Customer and tender requirements
Beyond government, many large private sector organisations now include Cyber Essentials in their supplier due diligence processes. Completing your certification reduces friction in enterprise sales cycles.
It's just good practice
The five controls address the most common attack vectors. An organisation that genuinely implements them properly reduces its risk exposure significantly — not to zero, but the basic Cyber Essentials controls would have prevented the majority of the cyber incidents SmartPath IT has responded to in recent years.
The five Cyber Essentials controls
1. Firewalls (boundary and device)
2. Secure configuration
3. User access control
4. Malware protection
5. Patch management
What the 2026 scheme looks like
The NCSC updated the Cyber Essentials scheme in January 2022 and further refined it in 2023 and 2025. Key 2025/2026 points:
Costs in 2026
Cyber Essentials (self-assessed)
Cyber Essentials Plus (technical test)
Free support for SMEs
The **NCSC's Cyber Essentials for SMEs** programme offers free guidance resources. Additionally, certain sector bodies and growth hubs offer subsidised certification — particularly for:
Ask SmartPath IT whether your sector qualifies for subsidised or co-funded certification.
What to expect from the process
Cyber Essentials (self-assessed)
1. **Readiness assessment** (~1 week): Review your current controls against the five areas. Identify gaps.
2. **Remediation** (1–4 weeks depending on gaps): Patch, configure, implement MFA, tighten firewall rules.
3. **Submit questionnaire** via an approved certification body portal.
4. **Verification call** (1 hour): Certification body reviews your answers and asks clarifying questions.
5. **Certificate issued** if you pass.
Most well-prepared organisations complete the process in 3–6 weeks.
Cyber Essentials Plus
Same preparation, plus:
If issues are found during testing, you have a short window to remediate and retest (varies by provider — typically 2–4 weeks).
Common failure points
The issues that cause most Cyber Essentials failures:
How SmartPath IT helps
We offer a **Cyber Essentials readiness service** that covers:
For organisations pursuing Cyber Essentials Plus, we also coordinate the technical testing and handle remediation of any issues found.
[Get in touch](#contact) to discuss Cyber Essentials preparation for your organisation.