LegislationGB

Cyber Essentials

UK government-backed cybersecurity certification scheme covering five basic technical controls; now required across supply chains of Cyber Resilience Pledge signatories.

Last refreshed: 29 May 2026 · Appears in 1 active topic

Key Question

Will the Cyber Resilience Pledge make Cyber Essentials mandatory for UK suppliers?

Timeline for Cyber Essentials

#51 May

Required across supply chains of Cyber Resilience Pledge signatories

Cybersecurity: Threats and Defences: UK cyber sector clears 14.7bn pounds

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

What is Cyber Essentials and who needs it?: Cyber Essentials is a UK Government-backed certification covering five baseline security controls: firewalls, secure configuration, access control, malware protection, and patching. Central government suppliers above a threshold must hold Cyber Essentials Plus.Source: NCSC
What is the difference between Cyber Essentials and Cyber Essentials Plus?: Cyber Essentials is self-assessed; Cyber Essentials Plus requires an independent technical verification. Plus is considered the credible standard for sensitive government and critical-infrastructure supply chains.Source: NCSC
Does the Cyber Resilience Pledge require Cyber Essentials?: The May 2026 Cyber Resilience Pledge asks signatories to require Cyber Essentials attainment across their supply chains, though the Pledge is voluntary.Source: DSIT Cyber Resilience Pledge
How much does Cyber Essentials certification cost?: The self-assessed Cyber Essentials starts from around £300 for small organisations. Cyber Essentials Plus costs more, typically £1,500 to £5,000 depending on organisation size, as it requires independent verification.Source: NCSC / certification body tariffs

Background

Cyber Essentials moved to the centre of the UK's voluntary Cyber Resilience Pledge announced in May 2026, which asks signatories to require attainment of the scheme across their supply chains in addition to their own operations. The pledge, announced alongside UK cyber-sector revenue figures of £14.7 billion, is intended to raise baseline hygiene across the supplier ecosystem rather than focusing only on large organisations.

Cyber Essentials is a NCSC-run certification scheme, launched in 2014, that establishes five core technical controls: boundary firewalls and internet gateways, secure configuration, access control, malware protection, and patch management. It exists at two tiers: the self-assessed Cyber Essentials and the independently verified Cyber Essentials Plus. Central government contracts above a certain value threshold require Cyber Essentials Plus. The scheme is administered by certification bodies accredited through the UK Cyber Security Council. Approximately 40,000 certificates are issued annually.

Cyber Essentials represents the UK's foundational cyber-hygiene standard, analogous in intent (though not scope) to NIST CSF or ISO 27001 at the basic level. Its inclusion in the Cyber Resilience Pledge as a supply-chain requirement signals government intent to use procurement leverage to propagate minimum standards through the economy rather than legislating directly. Critics note the self-assessed tier can be gamed; Cyber Essentials Plus's independent verification is considered the credible standard for sensitive supply chains.

Source Material

Cyber Essentials – Wikipedia Cyber Essentials – NCSC

How the World Sees Them

United States

NIST CSF and CMMC serve analogous roles for US federal supply chains; UK officials have pointed to Cyber Essentials as evidence of a lighter-touch baseline-setting model.

European Union

EU NIS2 Directive sets a higher bar for essential entities; Cyber Essentials is regarded by EU counterparts as a useful SME baseline, though not equivalent to NIS2 compliance obligations.

United Kingdom

The scheme is a domestic policy cornerstone; the Pledge's supply-chain extension reflects DSIT and NCSC intent to cascade minimum standards without primary legislation.