Is Cyber Essentials mandatory? Who needs Cyber Essentials and why

is cyber essentials mandatory

Cyber Essentials is a UK government-backed scheme that helps organisations protect themselves against common cyber threats. Achieving Cyber Essentials certification demonstrates a commitment to cybersecurity. Unlike GDPR, Cyber Essentials isn’t mandatory for UK businesses. 

The Cyber Essentials scheme isn’t covered by binding regulation. Instead, it provides impartial guidance to help businesses improve their cyber posture, built around five security controls: firewalls, secure configuration, user access control, malware protection, and security update management. It’s a great way for any business to improve its cyber credentials, and in some cases it’s mandatory. Learn more about the conditions under which certification can be necessary in this blog post.

Government Contracts

Cyber Essentials is mandatory for businesses looking for specific government contracts.

Unless your business achieves Cyber Essentials, you will not be able to bid for such contracts at all. These contracts involve the handling of personal information or delivering certain IT products and services.

For example:

  • Handling the personal information of any UK citizens; e.g., bank details or home addresses
  • Handling the personal information of any government employees, ministers, or advisors; e.g., payroll or expenses information
  • Delivering IT products or services designed to store, process, or transfer data

Cyber Essentials certification is mandated for businesses entering into these contracts and demonstrates that they have achieved the standards and meet the technical requirements defined in by the scheme.

For all businesses looking to bid for government contracts that involve one of the above characteristics, it makes sense to achieve Cyber Essential certification first.

Ministry of Defence Contracts

The UK Ministry of Defence (MoD) requires all its suppliers to comply with Cyber Essentials.The MoD has previously stated that this requirement must flow down to the supply chain. It mandates that both organisations directly conducting business with the MoD, and organisations delivering to the MoD supply chain must be Cyber Essentials certified.

Importance of Cyber Essentials

Should your business get a Cyber Essentials certification even if it isn’t mandatory? 

Yes. Even if you’re not bidding for government or MoD contracts, you could benefit from having Cyber Essentials.

For SMEs with little or no IT support or expertise, it provides a basic first step towards cybersecurity. Most SMEs lack adequate cybersecurity measures because they mistakenly feel that they’re not a target. This is a misconception:

  • 90% of businesses and 94% of charities who experienced at least one type of cyber crime
  • 1.5 million UK businesses hit by cybercrime in 2023

Taking the steps to Cyber Essentials

Considering Cyber Essentials for your business but not sure where to start? We’ve got a guide for that. Our guide to certifications in the UK has everything you need to know about Cyber Essentials and who needs it. Read it here.

Cybersecurity certifications