Cyber security requirements for UK businesses
How to protect your business from cyber threats and comply with UK cyber security requirements. Includes Cyber Essentials …
Technology & Digital
Technology and digital platforms
Cyber Essentials Certification
Government-backed scheme helping organisations guard against common cyber attacks. Required for many government contracts involving handling of sensitive information.
UK-wide
Guide summary
Get Cyber Essentials certification if your business handles sensitive data for government contracts. You must implement five security controls like firewalls and malware protection. Choose between self-assessment (£300–£500) or verified assessment (£1,500+). Renew your certification every year.
- Implement five security controls to protect against cyber attacks
- Firewalls must block unauthorised access (default deny policy)
- Change default passwords and auto-lock screens after 10 minutes
- Use multi-factor authentication for admin accounts and cloud services
- Install anti-malware software with automatic updates and scans
- Apply critical security updates within 14 days of release
- Choose Cyber Essentials (self-assessment) or Cyber Essentials Plus (verified)
- Pay £300–£500 for basic or £1,500+ for Plus certification
- Renew certification every 12 months
- Required for UK government contracts involving sensitive data
On this page
UK-wide
Related guides in Digital & Technology
Get Cyber Essentials certified
How to achieve Cyber Essentials certification for your business. Covers the five technical controls, certification levels and costs, …
Cyber security basics for small businesses
Practical, low-cost steps to protect your small business from cyber attacks. Covers the five Cyber Essentials controls, free …
Cyber security for financial services firms
FCA operational resilience requirements for cyber security, including the 31 March 2025 compliance deadline, SM&CR responsibilities for cyber …
Tech Sector Compliance Overview
Comprehensive guide to regulatory compliance for technology businesses - UK GDPR, data protection, online safety, cybersecurity, and sector-specific …
Overview
Cyber Essentials is a government-backed certification that demonstrates your organisation has implemented basic cyber security controls. There are two levels:
- Cyber Essentials: Self-assessment questionnaire verified by external body
- Cyber Essentials Plus: Includes hands-on technical verification by qualified assessor
When required
- Bidding for UK government contracts involving handling of sensitive or personal information
- Contracts involving provision of certain ICT products or services
- Many private sector contracts now specify Cyber Essentials as a requirement
Five technical controls
-
1
Review five technical controls
Review the five technical controls and assess your current compliance
-
2
Choose certification level
Choose between Cyber Essentials (self-assessment) or Cyber Essentials Plus (verified)
-
3
Select certification body
Select an NCSC-approved certification body
-
4
Complete assessment
Complete the self-assessment questionnaire or arrange technical assessment
-
5
Pay certification fee
Pay certification fee (typically £300-£500 for basic, £1,500+ for Plus)
-
6
Maintain certification annually
Maintain certification annually (valid for 12 months)