If your business handles government contracts, works within regulated supply chains, or is looking to improve your cyber insurance terms, you’ve probably encountered the requirement for Cyber Essentials certification.
Cyber Essentials is a UK government-backed certification scheme managed by the National Cyber Security Centre (NCSC), designed to help organisations of all sizes protect themselves against the most common internet-based cyber threats.
For Kent-based SMEs bidding for public sector work or seeking to demonstrate credible baseline security, understanding what Cyber Essentials involves—and how the rules changed in April 2026—is now more important than ever.
What Is Cyber Essentials Certification?
Cyber Essentials certifies that your organisation has the five basic technical controls in place to defend against common cyber attacks.
These controls are estimated to prevent around 80% of common cyber attacks.
The scheme offers two tiers:
- Cyber Essentials:
A self-assessed certification where you answer roughly eighty questions about how your organisation handles firewalls, secure configuration, user access, malware protection and security update management, and a qualified assessor reviews your answers. - Cyber Essentials Plus:
An independent assessor verifies that the controls are actually in place and working on your live systems, rather than relying on a self-assessment questionnaire.
The certificate is valid for 12 months
and must be renewed annually if required by contract or insurance policy.
Why UK Businesses Need Cyber Essentials
Cyber Essentials has moved from optional to essential for a growing number of organisations. Here’s why:
Government Contracts and Public Sector Work
Since October 2014, all suppliers bidding for UK government contracts involving sensitive information must hold a valid Cyber Essentials certificate.
Government contracts and public sector frameworks require it as a minimum.
Without valid certification, your bid simply won’t be considered—regardless of price or capability. This applies across central government departments, and increasingly to local authority and NHS contracts as well.
Supply Chain Requirements
An increasing number of enterprise supply chains now require suppliers to hold valid Cyber Essentials certification before procurement processes can progress.
Larger organisations use the scheme as part of supplier due diligence, particularly in fintech, legal, and healthtech sectors.
Cyber Insurance
Cyber insurers are tightening underwriting requirements and many now require certification as a condition of cover or offer significantly better premiums to certified businesses.
Cyber Essentials comes with free cyber insurance if your business turnover is less than £20 million.
For businesses looking to improve their security posture and reduce premiums, certification makes commercial sense.
The Rising Threat Landscape
UK organisations experienced a 36% year-on-year increase in cyber attacks per week in 2025, compared to a global average of 9.8%.
With ransomware and phishing attacks continuing to escalate—as we covered in our recent article on preparing for the next wave of ransomware—the baseline protections Cyber Essentials mandates are no longer optional luxuries.
The Five Technical Controls
Cyber Essentials certification is built around five core areas:
- Firewalls and Internet Gateways: Boundary protection that filters incoming traffic and prevents unauthorised access to your internal network.
- Secure Configuration: Ensuring devices, software, and services are configured securely, with unnecessary features disabled and defaults changed.
- User Access Control: Managing who has access to what, enforcing the principle of least privilege, and implementing multi-factor authentication (MFA) where available.
- Malware Protection: Active protection against malicious software using antivirus, endpoint detection and response (EDR), or application whitelisting.
- Security Update Management: Timely patching of operating systems, applications, and firmware to close known vulnerabilities.
The five core controls have not changed; what has changed is how strictly assessors enforce them, how broadly the scheme defines scope, and where the new automatic failure points sit.
What Changed in April 2026: The v3.3 Update
From 27 April 2026, all Cyber Essentials assessments use the new v3.3 requirements, known as the Danzell question set.
The updates are subtle but significant, particularly for businesses that have previously passed with workarounds or partial compliance.
Multi-Factor Authentication Is Now Mandatory
The biggest change:
from v3.3 onwards, if any cloud service you use offers MFA and you haven’t switched it on, you will automatically fail your assessment.
Where any cloud service offers MFA, it must be enabled; partial implementation, for example only applying MFA to admin accounts, is no longer sufficient.
This affects Microsoft 365, Google Workspace, accounting software, CRM platforms, and any SaaS tool with customer or business data.
Cloud and Hybrid Infrastructure Explicitly In Scope
The v3.3 version explicitly addresses cloud and hybrid infrastructure, with controls now applying to cloud platforms (AWS, Azure, GCP) under the Shared Responsibility Model, hybrid setups spanning on-premises and cloud, and SaaS applications with third-party data storage.
Under the 2026 rules, any device that connects to the internet and any cloud service that stores your data is in scope; you cannot exclude things without proper justification.
Stricter Scoping and Enforcement
Assessors are now enforcing the rules more rigorously. Businesses that approach renewal as a straightforward repeat of previous years may find themselves facing remediation work or even failure if gaps exist in areas previously overlooked.
How Much Does Cyber Essentials Cost?
The IASME assessment fee for Cyber Essentials in 2026 is £330 plus VAT for micro organisations of 1 to 9 employees, £400 plus VAT for small organisations of 10 to 49 employees, £450 plus VAT for medium organisations of 50 to 249 employees and £500 plus VAT for large organisations of 250 or more employees.
That’s the official certification fee, but the true cost includes preparation, remediation, and any tooling upgrades required to meet the controls.
The realistic total first-year cost for a 25-person business is £1,500–£3,000
when factoring in MFA rollout, endpoint protection, patch management, and IT resource time.
For Cyber Essentials Plus,
most UK businesses pay between £1,500 and £3,000+VAT, with the exact figure determined by sample size, complexity and the assessor you choose.
How to Get Cyber Essentials Certified
Getting Cyber Essentials certified in 2026 is a six-step process: scope your IT, fix the gaps against the five technical controls, register with IASME, complete the questionnaire, respond to assessor queries, and (optionally) book the Plus audit.
Here’s what that looks like in practice:
- Scope your IT estate. Document every device, application, cloud service, and user account that connects to the internet or handles business data. Don’t try to exclude systems without proper justification—v3.3 has tightened the rules considerably.
- Conduct a gap analysis. Review your current setup against the five controls. Common gaps include missing MFA on cloud services, outdated firmware on network hardware, inconsistent patch schedules, and admin rights assigned too broadly.
- Remediate the gaps. Enable MFA across all eligible platforms. Update firewalls and endpoint protection. Lock down user permissions. Establish a documented patch management process. If you’re unsure where to start, our IT support team can run a compliance audit and prioritise the work.
- Register and complete the self-assessment. Choose an IASME-accredited certification body, pay the assessment fee, and complete the online questionnaire. Be accurate—the assessor will query inconsistencies or missing detail.
- Respond to assessor queries. Expect follow-up questions. Be prepared to provide screenshots, configuration exports, or policy documents as evidence.
- Receive your certificate.
Typical turnaround is 5–10 working days.
Once certified, the badge is valid for 12 months and can be displayed on your website, tender submissions, and marketing materials.
Cyber Essentials Plus: When It’s Required
MOD supply chain contracts require Cyber Essentials Plus.
If your buyers, insurers or regulators specifically ask for Cyber Essentials Plus, or you sell into central government, defence or sensitive supply chains, the Plus uplift is normally non-negotiable.
The Plus audit includes external vulnerability scanning and a technical review of live systems, so preparation must be thorough—there’s no opportunity to resubmit without paying the full fee again.
Common Pitfalls to Avoid
- Underestimating scope. Cloud services, mobile devices, and remote workers are all in scope under v3.3. Don’t assume you can exclude them.
- Partial MFA rollout. Admin-only MFA is no longer enough. If the service offers it, every user must have it enabled.
- Outdated antivirus or missing endpoint protection. Consumer-grade tools and expired subscriptions will cause you to fail. Ensure enterprise-grade malware protection is active and up to date.
- Poorly documented patching. Ad-hoc updates aren’t sufficient. You need a documented, repeatable process with evidence that it’s being followed.
- Not seeking help early. Waiting until the week before a tender deadline to start the process rarely ends well. Remediation can take weeks, especially for businesses without in-house IT resource.
How Meridian Micro Can Help
We support SMEs across Kent and the South East through the Cyber Essentials certification process, from initial readiness reviews and gap remediation through to post-certification compliance monitoring. Whether you need help with network hardening, MFA deployment, cloud backup strategies, or a full managed IT partnership that keeps your systems compliant year-round, we make it straightforward.
If you’re bidding for government contracts, facing increased supply chain scrutiny, or looking to strengthen your security baseline under the updated v3.3 rules, we can run a no-obligation gap analysis and provide a clear, costed remediation plan. Call us on 01303 883111 or visit our contact page to book your consultation.