Cyber Essentials Certification:
Complete Guide for UK SMEs (2026)
📅 Published April 8, 2026✍️ By Olufemi Ayodele Odusanya — AI Research Engineer, 25+ yrs cybersecurity⏱️ 7 min read
⚡
Cyber Essentials v3.3 MFA mandate: 19 days away (April 27, 2026)From April 27, MFA is mandatory for all cloud services and admin accounts. No MFA = no new or renewed certification. NHS suppliers and government contractors: act now.
What is Cyber Essentials?
Cyber Essentials is a UK government-backed cybersecurity certification scheme, administered by NCSC (National Cyber Security Centre) and delivered by accredited certifying bodies. It defines a baseline set of technical controls every organisation should have in place to defend against the most common internet-based cyber threats.
The scheme has two levels:
Cyber Essentials (basic) — A self-assessment questionnaire reviewed and verified by an accredited certifying body. You answer questions about your technical controls; an assessor reviews your answers and issues a certificate if you meet the standard. Cost: £300–£500. Valid for 12 months.
Cyber Essentials Plus — Everything in the basic certification, plus an independent hands-on technical audit. An assessor physically or remotely tests your systems to verify the controls you declared are actually implemented correctly. Required for some NHS and Ministry of Defence contracts. Cost: £1,500–£3,000. Valid for 12 months.
ℹ Why It Matters Beyond the Certificate
Cyber Essentials certification is now a mandatory procurement requirement for all UK government contracts that involve handling personal information or providing certain IT products and services. It's also required for NHS suppliers, many local authority tenders, and increasingly for regulated-sector supply chains. The certificate is a commercial necessity as much as a security one.
What Changed in Cyber Essentials v3.3
Version 3.3 of the Cyber Essentials technical standard goes live on April 27, 2026. Organisations renewing or obtaining certification after this date must meet the new requirements. There are three headline changes:
1. MFA is now mandatory. Multi-factor authentication must be enforced on all cloud services (Microsoft 365, Google Workspace, AWS, Salesforce, any SaaS platform) and on every account with administrator-level access. Previously MFA was strongly recommended; v3.3 makes it a hard requirement. This is the biggest single change in the framework's history.
2. Patch management timelines tightened. Critical and high-severity patches must be applied within 14 days of release, down from 30 days. Unsupported software and operating systems that cannot receive security updates must be removed from scope or adequately segregated.
3. Scope and bring-your-own-device (BYOD) clarified. The v3.3 guidance tightens definitions of what must be in scope for certification — including home workers, mobile devices accessing company systems, and cloud platform configurations. BYOD devices used for work must meet the same Cyber Essentials controls as company-owned equipment.
🎯
Check your Cyber Essentials readiness in 60 seconds
5 questions. No system access required. See exactly where your gaps are before the April 27 deadline.
Cyber Essentials is built on five technical control areas. You must pass all five to achieve certification:
Control 01
Firewalls
A boundary firewall must protect all devices. For cloud and home working, this means software firewalls on endpoints and correctly configured security groups on cloud services. Default deny-all inbound rules required.
Control 02
Secure Configuration
All software and devices must be configured to minimise attack surface. Default or factory settings changed. Unnecessary accounts, software, and services removed. Admin accounts used only for admin tasks.
Control 03
User Access Control
User accounts must have only the permissions needed to do their job (least privilege). Admin accounts separate from standard user accounts. From v3.3: MFA required on all admin accounts and all cloud services.
Control 04
Malware Protection
Protection against malware on all devices in scope. Acceptable approaches include anti-malware software, application allowlisting, or sandboxing. Anti-malware must be kept up to date with current definitions.
Control 05
Patch Management (Security Update Management)
All software — operating systems, applications, firmware — must be kept up to date. v3.3 tightens this to 14 days for critical/high patches. Software that can no longer receive security updates (end-of-life) must be removed from scope, replaced, or segregated from internet-connected systems.
Step-by-Step Certification Process
The process is the same whether you're applying for Cyber Essentials or Plus. Plus adds a technical audit stage after the self-assessment passes.
1
Choose a certifying body
IASME, NCSC-approved certifying bodies, and specialist firms including CyberSense AI partners can assess your organisation. Different bodies serve different sectors — some specialise in healthcare, legal, or finance.
2
Define your scope
Determine which parts of your business (offices, systems, cloud services, users) are in scope. For most SMEs this is the whole organisation. Larger organisations can certify a defined subset.
3
Complete the self-assessment questionnaire (SAQ)
Answer approximately 60 questions about your implementation of the 5 controls across your in-scope environment. Typical time: 2–4 hours for a prepared organisation. Gaps identified here must be fixed before submission.
4
Assessor review and vulnerability scan
For Cyber Essentials, the certifying body reviews your SAQ and conducts an external vulnerability scan of your public-facing IP addresses. Pass: certificate issued (typically 1–3 business days). Fail: remediation required, then resubmit.
5
Technical audit (Cyber Essentials Plus only)
An independent assessor conducts hands-on testing of your systems — checking that controls you declared are actually in place. Conducted on-site or remotely. Takes 1–2 days. Fail on any control and you must remediate and re-test.
6
Certificate issued and published
Your certificate is valid for 12 months from the date of issue. It's listed on the NCSC's public certification register. Renewal must be completed before expiry to maintain continuous coverage — gaps in certification can affect contract eligibility.
Costs Breakdown
Fees vary by certifying body, organisation size, and scope. These are typical ranges for 2026:
NHS suppliers, MOD contractors, high-assurance requirements
Micro-organisations (<10 employees)
From £200
Reduced-fee schemes via IASME
Small businesses, sole traders with employees
Remediation preparation
Variable
Fixing gaps before re-assessment (MFA rollout, patching)
Organisations failing initial self-assessment
⚠ Hidden Cost: Failed Assessments
Many organisations fail their first self-assessment due to gaps they weren't aware of — particularly around MFA, end-of-life software, and default configurations. Discovering and fixing these gaps before submission avoids re-assessment fees (typically £150–£250) and delays. A pre-assessment gap analysis is worth the time investment.
April 27, 2026: What Happens If You're Not Compliant
The April 27 deadline applies to new certifications and renewals processed on or after that date. Existing certificates remain valid until their 12-month expiry — but when you come to renew, v3.3 applies.
For NHS suppliers and government contractors: If your certification expires and you cannot renew because you haven't implemented MFA (or met other v3.3 requirements), you are in breach of contract terms. Contract suspension or loss of tender eligibility can happen within days, not months. The NHS supplier code of conduct is explicit: continuous certification is required, not periodic.
For organisations applying for new certification: Any application submitted from April 27 onward is assessed against v3.3. No exceptions. If you're currently in the assessment process and cross the date, you may be assessed against the new standard depending on your certifying body's transition policy — confirm this now.
For regulated-sector firms: FCA enforcement actions related to cyber controls are up 15% year-on-year. A lapsed Cyber Essentials certification is not legally required for most FCA-regulated firms, but it's visible evidence of inadequate cyber hygiene that supervisors will note. The risk is reputational and supervisory, not directly contractual.
🔴 The MFA Gap is Wider Than Most Organisations Realise
50% of UK SMEs experienced a breach in the past 12 months (UK Government Cyber Breaches Survey 2025). The majority involved compromised credentials — the exact attack class MFA prevents. If MFA isn't already enforced on your Microsoft 365 or Google Workspace, you're exposed today, not just on April 27.
Frequently Asked Questions
Cyber Essentials is a self-assessment questionnaire verified by a certifying body. Cyber Essentials Plus includes all of the above plus an independent technical audit — a hands-on verification that the controls you declared are actually in place. Plus certification is required for some NHS and MOD contracts.
Cyber Essentials (basic) costs £300–£500 for the assessment and certification fee. Cyber Essentials Plus costs £1,500–£3,000 depending on organisation size and the certifying body used. Small organisations (fewer than 10 employees) may qualify for reduced fees from around £200.
From April 27, 2026, Cyber Essentials v3.3 requires multi-factor authentication (MFA) for all cloud services and all administrator accounts. Any organisation seeking new or renewed certification must prove MFA is enforced on platforms like Microsoft 365, Google Workspace, and AWS — not just recommended.
Yes — if the contract involves handling personal data or providing certain IT products and services to the UK government, Cyber Essentials certification is mandatory. NHS suppliers are similarly required to hold it. Many local authority and regulated-sector tenders now list it as a baseline procurement requirement.
The basic Cyber Essentials process typically takes 2–4 weeks from starting the self-assessment to receiving your certificate. Cyber Essentials Plus takes 4–8 weeks because it includes scheduling and completing the technical audit. Certificate validity is 12 months — renewal is required annually.
Your existing certificate remains valid until its 12-month expiry. But you cannot renew or obtain new certification without meeting v3.3 requirements, including mandatory MFA. If your certificate expires after April 27 and you haven't implemented MFA, renewal will be blocked. NHS suppliers and government contractors face immediate contract eligibility risk.
The April 27 deadline is 19 days away. If you haven't yet mapped your current state against the v3.3 requirements — particularly the MFA mandate — the window to act before your next renewal is narrow. Start with a readiness check.
Full CyberSense Assessment
Know your Cyber Essentials gaps before your assessor does.
CyberSense AI scans your digital footprint and maps your exposure against Cyber Essentials v3.3, GDPR/DUAA, and FCA standards — in minutes. No system access required.