Cyber Essentials is one of those things that many UK business owners have heard of but aren’t entirely sure they need. The short answer, for most businesses, is yes – and in 2026 the reasons to get certified have become more compelling than ever. New requirements have just come into effect, more enterprise clients and government frameworks are demanding it as a supplier prerequisite, and cyber insurers are increasingly using it as a condition of cover.
Here’s everything you need to know about Cyber Essentials, what’s changed in 2026, and how to prepare your business for certification.
What Is Cyber Essentials?
Cyber Essentials is a UK government-backed certification scheme overseen by the National Cyber Security Centre (NCSC). It defines a set of five core technical controls that every UK business should have in place to protect against the most common internet-borne cyber attacks.
The scheme exists because the vast majority of successful cyber attacks on businesses aren’t sophisticated, targeted operations – they’re opportunistic attacks exploiting basic security gaps that are entirely preventable. The five technical controls that Cyber Essentials covers are estimated to protect organisations from approximately 80% of common cyber attacks.
Certification is available at two levels:
Cyber Essentials is a verified self-assessment. Your business completes a questionnaire confirming that the five controls are in place, an accredited assessor reviews the responses, and IASME issues the certificate if requirements are met. The cost starts at £320 plus VAT, priced according to the size of your organisation.
Cyber Essentials Plus goes further. An independent assessor conducts hands-on technical testing of your systems to verify that the controls are actually working as claimed, not just documented. This is the higher assurance level and is increasingly required for government and defence supply chain work.
Both certifications last 12 months and must be renewed annually.
The Five Technical Controls
The five controls covered by Cyber Essentials have not changed in the 2026 update, but how strictly they are enforced has. Here’s what each one covers:
Firewalls – a properly configured firewall must sit between your network and the internet, controlling what traffic is allowed in and out. This applies to both physical firewalls and software firewalls on individual devices, including laptops used by remote workers.
Secure configuration – devices and software must be configured securely before use. Default passwords must be changed, unnecessary features and services must be disabled, and systems must be set up to minimise the ways an attacker could get in. Under the 2026 requirements, password policies must enforce a minimum length of 12 characters – increased from the previous 8-character minimum.
User access control – access to systems, data, and applications must be controlled and limited to those who genuinely need it. Admin privileges in particular must be restricted and managed carefully, with standard user accounts used for day-to-day tasks.
Malware protection – active, up-to-date protection against malicious software must be in place across all devices. For most businesses running Windows, Microsoft Defender – properly configured – meets the basic Cyber Essentials requirements when combined with other controls.
Patch management – software and operating systems must be kept up to date with the latest security patches. Any software that is no longer receiving security updates from its vendor must be removed from in-scope systems.
What’s Changed in 2026: Version 3.3
From 27 April 2026, all Cyber Essentials assessments use the new v3.3 requirements, known as the Danzell question set. The five controls remain the same, but the enforcement is significantly stricter in several areas that will catch businesses out if they’re not prepared.
MFA is now an automatic failure point. Under previous versions, if a cloud service offered MFA and you hadn’t enabled it, you received a major non-compliance warning but could still pass the assessment. Under v3.3, if any cloud service your business uses offers MFA – whether free, included in your subscription, or available as a paid add-on – and you haven’t switched it on, you will automatically fail. For businesses using Microsoft 365, this means MFA must be enabled across all accounts, not just administrator accounts.
Cloud services are more firmly in scope. Any cloud service that stores your business data is now firmly within scope of the assessment. You cannot exclude cloud platforms without proper justification, and assessors will look at how cloud environments are configured – not just on-premise infrastructure.
Backups have been elevated in prominence. The backup requirements have been moved much earlier in the v3.3 documentation, which reflects how seriously IASME takes this area. Backups must be automated, stored separately from primary systems, and – critically – actually tested to confirm they can be restored.
Scope for remote and hybrid workers is broader. Any device that connects to the internet and accesses company data is in scope, including personal devices used for work under a BYOD policy. Businesses that have tried to exclude home working devices from previous assessments will find this more difficult under v3.3.
Why More Businesses Need Cyber Essentials in 2026
Cyber Essentials certification was once considered primarily relevant to businesses supplying government contracts. That’s no longer the case.
Government and public sector contracts – if your business bids for government contracts involving personal or financial data, Cyber Essentials is mandatory. This includes central government departments, NHS organisations, MOD suppliers, and increasingly local authorities.
Enterprise supply chains – large businesses are increasingly requiring their suppliers to hold valid Cyber Essentials certification before procurement processes can progress. If any of Via Wire’s clients’ businesses supply larger organisations, this is worth checking.
Cyber insurance – insurers are tightening underwriting requirements. Many now require certification as a condition of cover or offer significantly better premiums to certified businesses. For some businesses, the certification cost pays for itself many times over in reduced insurance premiums alone.
Client due diligence – particularly in professional services, finance, legal, and healthcare sectors, clients and partners are increasingly asking for evidence of Cyber Essentials certification as part of their own supply chain security assessments.
Free cyber insurance for smaller businesses – any UK-based organisation with a turnover under £20m that achieves Cyber Essentials certification covering their whole organisation is automatically entitled to free cyber liability insurance, arranged by IASME, with £25,000 of cover including a 24-hour incident response helpline. For smaller businesses, this is a significant benefit that comes at no additional cost.
How Cyber Essentials Relates to Microsoft 365
For businesses running Microsoft 365, there’s a meaningful overlap between Cyber Essentials requirements and the security controls available within the Microsoft 365 platform.
Microsoft 365 Business Premium is particularly well-aligned with Cyber Essentials. MFA enforcement through Microsoft Entra ID, device management and compliance through Microsoft Intune, endpoint protection through Microsoft Defender for Business, and patch management through automated Windows Update policies together address four of the five Cyber Essentials controls directly.
Businesses that have already implemented Business Premium and configured it properly are often much closer to Cyber Essentials certification than they realise. The remaining work is typically around documentation, scope definition, and any gaps in firewall or access control configuration.
Under v3.3, the MFA requirement is particularly significant. Because Microsoft 365 offers MFA as standard – and in many cases includes it as part of the licence – failing to enable it is now an automatic assessment failure. This is a straightforward fix, but one that needs to be in place before any assessment takes place.
The Certification Process
Getting certified is more straightforward than many businesses expect, particularly with the support of a managed IT provider who knows the requirements.
The process broadly involves assessing which devices, users, and cloud services fall within scope, reviewing your current security controls against the five Cyber Essentials requirements, addressing any gaps identified, completing the IASME self-assessment questionnaire, and having the responses reviewed by an accredited assessor.
Most businesses in a reasonably well-managed IT environment can achieve certification within 4 to 12 weeks, depending on the work required to address any gaps.
If your assessment identifies gaps – particularly around MFA, patch management, or access control – these are areas where a managed IT support provider can implement and configure the required controls efficiently, rather than leaving them to be addressed ad hoc.
Getting Ready for Cyber Essentials
At Via Wire, we help businesses prepare for and achieve Cyber Essentials certification – assessing your current security posture against the requirements, implementing any missing controls, and supporting you through the self-assessment process. For businesses already running Microsoft 365 Business Premium, we can identify how much of the work is already done through your existing Microsoft configuration.
Get in touch today to discuss Cyber Essentials preparation and certification for your business.
0 Comments