What Is Cyber Essentials and Does My Business Need It?

If you run a small or medium-sized business in London, chances are you've come across the term Cyber Essentials, maybe from a supplier, an insurance company, or a government contract requirement. But what actually is it, and do you need it?

What Is Cyber Essentials?
Cyber Essentials is a UK government-backed cybersecurity certification scheme, run by the National Cyber Security Centre (NCSC) and IASME. It's designed to help businesses of all sizes protect themselves against the most common types of cyberattack.

It's not a complex, expensive enterprise standard. It's a practical baseline, five core controls that, if properly implemented, protect against around 80% of the common attacks targeting UK businesses.

The five controls are:

Firewalls: protecting your network
Secure configuration:  making sure devices and software are set up securely
User access control: limiting who can access what
Malware protection: defending against malicious software
Security update management:  keeping systems patched and up to date
 
Two Levels of Certification
Cyber Essentials (CE) A self-assessment questionnaire verified by a certification body. Most businesses can complete this within a few days once the controls are in place.

Cyber Essentials Plus (CE+) : The same five controls, but verified by a hands-on technical audit. A higher level of assurance, required for some government contracts and higher-risk sectors.

 
Does My Business Need It?
For many London SMBs, the answer is increasingly yes,and here's why.

Government and public sector contracts
If you supply to the public sector, Cyber Essentials is mandatory for most contracts involving digital services or data handling. The Legal Aid Agency made it a requirement for Standard Crime Contract holders from October 2025. Many NHS organisations and local councils now expect it as standard from their suppliers.

Your customers are starting to ask for it
It's not just government. Larger businesses are increasingly requiring Cyber Essentials from their suppliers as part of onboarding and due diligence,particularly in finance, legal, healthcare, and real estate. If you're in one of those sectors, expect the question to come up.

Cyber insurance
Insurers are tightening requirements. Many now ask whether you're Cyber Essentials certified as part of the underwriting process, and certified businesses often benefit from better premiums. Businesses with turnover under £20m who certify their entire organisation also receive £25,000 of free cyber liability insurance included with the certification.

It's good baseline security practice
Even if none of the above apply to you right now, Cyber Essentials gives you a structured way to check your business is protected against the most common threats, phishing, ransomware, credential attacks. UK businesses saw a 36% year-on-year increase in cyber attacks in 2025.

 
What's Changed in 2026?
The scheme was updated in April 2026 with new requirements. The five controls haven't changed, but enforcement has tightened significantly.

The biggest change: MFA is now an automatic failure point. If any cloud service your business uses offers multi-factor authentication,whether that's Microsoft 365, your CRM, your accounting software, and you haven't enabled it, your assessment will automatically fail. No exceptions.

Cloud services are also now fully in scope. Previously, some businesses excluded cloud platforms from their assessment. That's no longer acceptable under the updated scheme.

If you're renewing or applying for the first time, these are the rules you'll be assessed against.

 
How Much Does It Cost?
The IASME self-assessment fee is typically £300–£500 + VAT depending on organisation size. The total cost depends on how much remediation your IT setup needs beforehand. For businesses already using Microsoft 365 with MFA properly configured, the path to certification is often straightforward.

 
How Blackgate Tech Can Help
We work with London SMBs across finance, hospitality, healthcare, real estate, and law to prepare for and achieve Cyber Essentials certification. We'll review your current setup, identify any gaps, and make sure everything is in place before you go through the assessment.

If you'd like a free initial conversation about where your business stands, get in touch, we're happy to take a look.