Cyber Essentials
The University of Nottingham held a Cyber Essentials Plus certification when attackers took student and alumni data in June 2026. The certificate did not fail. Its scope never covered the systems that were breached, and that distinction matters to every organisation that relies on a supplier’s certificate. Jonathan Krause, who assesses against the scheme, explains how to read a certificate’s scope and how to set the right one for your own estate.
By Jonathan Krause | Founder and Managing Director, Forensic Control | 20th June 2026
In June 2026 the University of Nottingham confirmed that a criminal group had taken a significant amount of personal data belonging to current students and alumni, including financial information, from its student record system. The university holds a Cyber Essentials Plus certification, which has prompted a fair question from the people who rely on that scheme when they choose suppliers: did the certificate fail?
The short answer is no. A Cyber Essentials certificate, and its more demanding Plus version, certifies a declared scope, not an organisation. That scope can be far narrower than the name at the top of the certificate suggests, and at Nottingham it was.
Cyber Essentials (CE) is the government-backed scheme, run by the National Cyber Security Centre (NCSC) and delivered by IASME, that certifies an organisation against five basic technical controls. Cyber Essentials Plus adds hands-on technical verification, including vulnerability scanning and sample device testing, on top of the self-assessment that base CE relies on. Both certify whatever scope the organisation declares, and the scope statement is part of the certificate.
The scope statement is the part of the certificate that decides what it actually means, and it is easy to skip past on the way to the logo. A certificate with a narrow scope is not a weaker certificate. It is a certificate that covers less.
Nottingham’s certificate covers its research computing estate. That means the high-performance computing clusters used for heavy research workloads, and the trusted research environments and secure data environments, the locked-down enclaves where approved researchers analyse sensitive health and government datasets without being able to extract them. The public scope statement lists the device and admin networks that support that estate, and then ends with a phrase that settles the question: “excluding all other university networks”. The student record system the university says was breached is one of those other networks, so it was never inside the certificate.
This is common, and it is usually contractual. Research-council, NHS and Office for National Statistics data agreements often require Cyber Essentials Plus for the specific systems that handle their data. An organisation under that kind of obligation certifies the networks it has to, and frequently stops there, because nothing requires it to go further.
That approach is common, and it holds up right until something happens on the part of the estate that nobody certified. At that point the narrow scope looks like a very different decision in hindsight.
If you check whether a supplier holds Cyber Essentials Plus before you trust them with your data, the badge on its own tells you very little. The useful information is in the scope.
There are three checks, and none of them needs a meeting. First, open the NCSC certificate search, find the supplier and read the scope statement rather than stopping at the certification level. Second, ask whether that scope actually names the systems that will hold your data, the customer records, the finance platform, the case management system, rather than a subset such as a single data centre. Third, hold the certificate to what it claims: protection against common internet-borne attacks for the systems in scope, at the point the certificate was issued, and nothing at all about the systems outside it. The wording you want to see is “whole organisation”.
I wrote in April about how public-sector buyers can now turn away suppliers who cannot show Cyber Essentials before a contract is awarded. Reading the scope is the other half of that same job. A certificate you went out of your way to ask for is only worth as much as the scope it covers.
Would a fully applied certification have stopped this? The honest answer is that no certification guarantees anything. The kind of group behind breaches like this is known for social-engineering its way into third-party platforms, which is not the threat Cyber Essentials is built to stop.
The evidence that the controls work where they are applied is strong, though. The five controls are built to block the most common internet-based attacks, the digital equivalent of a thief walking down a street trying doors to see which is unlocked. The government’s 2023 evaluation of the scheme cited research finding that, properly implemented, the controls mitigate the overwhelming majority of internet-originating vulnerabilities. That protection only ever reaches as far as the scope.
This is not only a Nottingham problem. Earlier in 2026 the same pattern played out at the Canvas learning platform run by Instructure, in what has been reported as the largest educational data breach on record, reaching thousands of institutions through the platform rather than through any one of them. The route in was a system the institutions did not run themselves. That is the pattern worth sitting with.
The breaches that do the most damage are rarely sophisticated. They are an unpatched server, an account without multi-factor authentication (MFA), a system everyone assumed someone else was protecting. The government’s 2025/2026 Cyber Security Breaches Survey found that just 15% of businesses review the risks posed by their immediate suppliers. Applied across every network and device rather than one corner of the estate, the controls would have made an incident like this materially less likely.
If you are not certain what your own Cyber Essentials scope covers, or what a supplier’s certificate actually protects, that is a half-hour conversation rather than a project. We will read a scope statement with you, yours or a supplier’s, and tell you plainly what it does and does not cover. The badge is worth having, but knowing what it covers is worth more.
No. Cyber Essentials Plus certifies a declared scope, which can be a subset of an organisation’s networks and systems. The scope statement on the certificate defines exactly what was assessed. Anything outside it is not covered, even though the certificate carries the organisation’s name.
Use the NCSC certificate search on the IASME website, find the organisation, and read the scope statement rather than stopping at the certification level. “Whole organisation” means the full estate. A narrower wording means only the listed systems were assessed, and nothing else is covered by the certificate.
Base Cyber Essentials is a verified self-assessment against five technical controls. Cyber Essentials Plus adds independent hands-on testing of the systems in scope, including vulnerability scanning and sample device checks. Both certify a declared scope rather than an entire organisation by default.
Usually because a contract or data agreement, often with the NHS, a research council or a government department, requires Cyber Essentials Plus for specific systems only. Some organisations certify the systems they are required to and leave the rest outside scope.
No. It is designed to stop the most common internet-based attacks for the systems in scope, and the government’s 2023 evaluation found the controls mitigate the overwhelming majority of internet-originating vulnerabilities when properly implemented. It does not claim to stop targeted social engineering, and it does not protect systems that sit outside the certified scope.
Ideally “whole organisation”, so every network and device that handles your data is covered. Where cost or complexity makes that hard, the priority is to include the systems that hold sensitive or regulated data, not only the ones a single contract requires.
Safeguard your business with our expert cyber security solutions. Whether you require digital forensics, penetration testing or proactive security assessments, our team is ready to assist. Contact us today to discuss your security needs and take the first step towards a more secure future.
