Cyber Essentials is a UK government-backed certification scheme that demonstrates a business has basic cyber security measures in place. In 2026, it’s become more important than ever — and the requirements have been updated.

This article explains what Cyber Essentials is, what changed in 2026, and whether your small business should get certified.

What Is Cyber Essentials?

Cyber Essentials is a certification scheme run by the National Cyber Security Centre (NCSC). It covers five technical controls that, according to the NCSC, prevent around 80% of common cyber attacks:

  1. Firewalls — ensuring your network has a properly configured boundary
  2. Secure configuration — making sure devices and software are set up securely
  3. User access control — limiting who has access to what, and with what privileges
  4. Malware protection — anti-malware software on all relevant devices
  5. Patch management — keeping software and firmware up to date

There are two levels: Cyber Essentials (self-assessed) and Cyber Essentials Plus (independently verified). Most small businesses start with the self-assessed version.

What Changed in the 2026 Update?

The Cyber Essentials scheme was updated in April 2026 with several significant changes:

Multi-factor authentication is now mandatory for all cloud services where it’s available. If a cloud service offers MFA — even if enabling it requires a paid licence upgrade — you must have it enabled to pass. This is a significant change that will catch many small businesses out.

Stricter patch management: High-risk and critical security updates must be applied within 14 days of release. This applies to operating systems, applications, and firmware.

Expanded scope: The updated scheme has a broader definition of what’s in scope — including more types of cloud services and remote working arrangements.

Who Should Get Cyber Essentials Certified?

Cyber Essentials certification is required if you want to bid for UK government contracts involving the handling of sensitive information. Beyond that, it’s increasingly being requested by:

Even if none of the above apply to you today, certification demonstrates to clients that you take security seriously — which is increasingly a factor in supplier selection.

Does Cyber Essentials Guarantee Security?

No. Cyber Essentials covers the basics — important basics that prevent the majority of common attacks, but not a comprehensive security posture. Businesses that handle highly sensitive data or face sophisticated threats need additional measures beyond Cyber Essentials.

For most small businesses, Cyber Essentials represents a solid foundation. Think of it as the minimum standard, not the ceiling.

How Much Does Cyber Essentials Cost?

The self-assessed Cyber Essentials certification currently costs £300 plus VAT for small businesses. Cyber Essentials Plus — which involves an independent technical verification — costs more, typically £1,000–£3,000 depending on the size of your business.

How Can Onixed Help With Cyber Essentials?

Many small businesses find the Cyber Essentials questionnaire confusing — particularly the technical questions about firewall configuration, user access control, and patch management.

Our network security audit covers all five Cyber Essentials control areas. After an audit, you’ll know exactly where you stand against the requirements and what needs to change before you apply for certification.

We can also help you implement the changes needed to achieve certification and support you through the application process.

We serve small businesses across West Yorkshire — Dewsbury, Wakefield, Leeds, Bradford, Huddersfield and surrounding areas.

Free 30-minute consultation: calendly.com/onixed-support
Email: support@onixed.co.uk
Web: onixed.co.uk