Cyber Essentials

By Jonathan Krause │ Founder, Forensic Control │ 7 July 2026
Parliament’s Public Accounts Committee (PAC) published a report at the end of June warning that the UK’s national museums and galleries are being left vulnerable to cyber attack. The Government’s response to high-profile incidents, the Committee found, has been reactive rather than strategic, and the Department for Culture, Media and Sport (DCMS) has no clear picture of the security posture of the institutions it funds.
The British Library breach in 2023 was the incident that made the problem visible, and the Uffizi attack in February 2026 showed it extends well beyond the UK, yet neither prompted a structured response from DCMS. The Committee’s concern is well founded.
What strikes me, though, is a question the report largely skips past: why are these institutions not required to hold Cyber Essentials in the first place?
Cyber Essentials became mandatory for organisations bidding for UK central government contracts involving sensitive data or technical services in 2014. The mechanism works reasonably well within the procurement process. A technology consultancy bidding for a government contract, a software supplier handling civil service data, or a logistics company managing sensitive government shipments all face the certification requirement as a condition of winning the work.
National museums do not bid for their government funding; they receive it as grants. The 15 institutions sponsored by DCMS received £484 million in grant-in-aid in 2024-25. Grant-in-aid is not a procurement exercise but an allocation made through spending reviews and paid directly to the institution, which means the condition that triggers the mandatory Cyber Essentials requirement, the point of contract award, simply never arises.
Most of these institutions are also Non-Departmental Public Bodies (NDPBs, meaning arms-length public bodies that sit outside central government but are funded and overseen by it) or registered charities. Neither category falls within the mandatory scope. DCMS has no equivalent of a contract condition at its disposal, no moment at which it can say: you want this allocation, show me your certificate first.
I doubt anyone designed this gap deliberately; it looks far more like an artefact of how the mandatory scheme was built, focused entirely on procurement with no equivalent mechanism for grant-funded bodies. A small company winning the catering contract at the Science Museum almost certainly needs Cyber Essentials to win that work. The Science Museum does not.
The British Library breach entered through an unpatched system on legacy infrastructure. The Library’s own published account of the incident cited a failure to maintain systems to modern security standards as a contributing factor. Cyber Essentials requires critical vulnerabilities to be resolved within 14 days and prohibits unsupported software, and applied across the estate those controls would have gone a long way towards closing off that particular entry point.
The Uffizi attack in February came through a vulnerability in third-party software managing images on the museum’s website. By all accounts, a piece of software sitting outside anyone’s security review had gone unpatched, which is precisely the sort of oversight the scheme’s patch management requirements exist to catch.
I would be cautious about claiming certification would have prevented either incident outright, since that is a promise no scheme can honestly make, but the evidence for the controls themselves is solid. The government’s 2024 evaluation of the scheme cites research showing the five CE controls mitigate 92% of internet-originating vulnerabilities when properly implemented, and the entry points in both of these cases fall within that figure.
Last week, writing on LinkedIn about the University of Nottingham breach, I made the point that a Cyber Essentials badge only protects what its scope covers, and reading a certificate without reading the scope statement tells you very little. A supplier’s CE+ badge covering a research computing estate says nothing about their student record systems.
The museums story adds a problem one step further back. I searched the IASME certificate registry (which holds all valid Cyber Essentials and Cyber Essentials Plus certificates issued in the last 12 months) for each of the DCMS-sponsored institutions, and ran broader searches for “museum,” “gallery” and “british” to catch any variant legal name registrations.
The British Museum does not appear, and nor does the British Library, despite it having suffered what was arguably the most disruptive cyber attack on a UK cultural institution in recent memory. The Natural History Museum, the Victoria and Albert Museum, Tate, the National Portrait Gallery, the Wallace Collection and the Royal Museums Greenwich are also absent. A search for “british” returned 50 results; neither the British Museum nor the British Library was among them.
Some institutions do hold certificates, though in each case the scope statement tells you rather more than the certificate itself. The Science Museum Group is certified, but the scope explicitly excludes “gallery and estates networks.” The Imperial War Museum’s certificate is held not by the museum itself but by its commercial trading subsidiary, and the scope excludes “Audio Visual/Public Galleries and Events.” The National Gallery holds CE, but the scope covers “The National Gallery Data Network” rather than the whole organisation. Both the Science Museum Group and the Imperial War Museum note that the excluded networks are segregated behind firewalls, which is a legitimate technical control, though segregation and certification are not the same thing, and in each case the visitor-facing systems, ticketing platforms, AV infrastructure and public-facing technology sit outside the certified scope.
The registry shows only the last 12 months, so a lapsed certificate would not appear here, and I would not claim a blank result means these institutions have no security controls at all. What the search does confirm is that the British Museum, the British Library and most of the 15 DCMS-funded institutions are not currently certified to the scheme the government itself recommends as a baseline.
The Cyber Security and Resilience Bill is currently progressing through Parliament. It expands the scope of regulations that currently apply to operators of essential services and relevant digital service providers, and may, depending on how critical infrastructure is defined in the final text, bring more publicly-funded bodies into a regulated framework. Whether museums and galleries fall within scope will depend on drafting decisions not yet confirmed.
The PAC has asked DCMS to set out the concrete actions museums and galleries have taken to address cyber threats. If that response includes any movement towards baseline certification as a condition of grant-in-aid, it would be a meaningful step, though I would not bank on it.
If you are a museum, a gallery, or an arts organisation trying to work out where to start, the approach is the same as for any organisation managing significant data: certify the scope that covers your most sensitive systems first, and expand from there. Ticketing infrastructure, donor databases, collection management systems and anything connected to physical security are the obvious starting points. The scope matters as much as the badge.
No. Cyber Essentials is mandatory for organisations bidding for UK central government contracts involving sensitive data or technical services. National museums and galleries receive their government funding as grant-in-aid rather than through procurement contracts, so the mandatory requirement never applies. They may voluntarily pursue certification, but there is currently no mechanism that requires it.
Based on a search of the IASME certificate registry (which shows certificates issued in the last 12 months), a small number of institutions hold current certificates. The Science Museum Group holds both CE and CE Plus, though the Basic certificate scope excludes gallery and estates networks. The National Gallery holds CE, scoped to its data network. The Imperial War Museum’s certificate is held by its commercial trading subsidiary, with gallery and AV systems excluded from scope. The British Museum, British Library, Natural History Museum, Victoria and Albert Museum, Tate, National Portrait Gallery, Wallace Collection and Royal Museums Greenwich do not currently appear in the registry.
The British Library breach in 2023 entered through an unpatched system on legacy infrastructure. The Library’s own account cited a failure to maintain systems to modern security standards as a key contributing factor. Cyber Essentials requires critical vulnerabilities to be addressed within 14 days and prohibits unsupported software. These controls directly address that class of entry point. The government’s 2024 evaluation of the scheme shows the five CE controls mitigate 92% of internet-originating vulnerabilities when properly implemented. Whether certification would have changed the outcome cannot be stated with certainty, but the attack was the kind CE was specifically designed to prevent.
The mandatory requirement was designed around public procurement: organisations winning government contracts must be certified. Museums and galleries receive their government funding as grants, not contracts, so the trigger point for the requirement never arises. Most national museums are also Non-Departmental Public Bodies or registered charities, neither of which falls within the mandatory scope. The gap was not deliberate; it is a consequence of how the scheme was built.
The Cyber Security and Resilience Bill is currently progressing through Parliament. It expands the regulatory framework that currently covers operators of essential services and digital service providers. Whether museums and galleries fall within its scope will depend on how critical infrastructure is defined in the final legislation, which has not been confirmed. Cultural and arts organisations should monitor the Bill’s progress, particularly if they handle significant volumes of public data or process financial transactions at scale.
Start with the scope that covers your most sensitive systems: ticketing and booking platforms, donor and financial databases, collection management software, and anything connected to physical security. Certifying this scope first gives you meaningful baseline protection and a foundation from which to expand. Cyber Essentials Basic is the starting point. Cyber Essentials Plus, which involves independent technical verification, is worth considering for any system handling significant financial or personal data. Forensic Control can help you define the right scope for your organisation.
Safeguard your business with our expert cyber security solutions. Whether you require digital forensics, penetration testing or proactive security assessments, our team is ready to assist. Contact us today to discuss your security needs and take the first step towards a more secure future.