Cyber Essentials
At CYBERUK 2026, the UK government launched a Cyber Resilience Pledge that asks signatory organisations to audit Cyber Essentials coverage across their supply chains. Baroness Lloyd has already written to over 180 CEOs urging them to sign. Jonathan Krause, founder of Forensic Control and a former New Scotland Yard investigator, explains what that means for the UK SMEs who are going to be on the receiving end of those audits.
By Jonathan Krause | Founder, Forensic Control | 25 April 2026
On Wednesday 22 April, at the NCSC’s CYBERUK 2026 conference in Glasgow, Security Minister Dan Jarvis announced a voluntary Cyber Resilience Pledge alongside a £90 million investment package over three years. Most of the coverage focused on the national security framing: NCSC chief Richard Horne’s speech earlier that morning confirmed that most nationally significant cyber incidents in the UK now originate from nation states rather than criminal groups. That is the story the national press has run with.
The commercially significant story for most UK businesses is elsewhere in the same announcement. The Pledge commits signatory organisations to three concrete actions, one of which is to audit Cyber Essentials coverage across their supply chains and to register for a new Cyber Essentials Supplier Check Tool within two months of signing. Baroness Lloyd has already written to the CEOs and chairs of over 180 of the UK’s largest businesses encouraging them to sign before the Pledge’s formal summer launch.
The practical consequence is straightforward. If your organisation sells into a major UK enterprise, a government department, or an organisation in a regulated sector, there is now a clock on when one of your customers is going to ask you for your Cyber Essentials certificate. The Pledge made that clock visible. It did not start it.
Pledges of this kind often read as aspirational, and there is a reasonable question about whether signatory organisations will actually audit their suppliers or simply sign and shelve. Two things suggest this one will carry more weight than the usual.
First, the Pledge is structured around concrete actions with fixed deadlines (register for the Supplier Check Tool within two months, board-level cyber governance training within three months) rather than broad commitments. That makes it measurable, and a signatory that fails to act will be publicly visible against the list of organisations that have signed.
Second, the Pledge aligns with a trend that predates it. Large UK organisations were already using Cyber Essentials as a supplier condition in tendering, particularly in public sector contracts and regulated sectors. The Pledge accelerates and standardises what was already happening. It does not have to create the behaviour to produce the outcome.
The pattern in first-time Cyber Essentials applicants is consistent. The trigger is almost never a proactive security decision. It is a customer or prospective customer asking whether the organisation has the certificate, usually with a short deadline attached.
Two recent cases from our own caseload make the pattern concrete. A US-headquartered defence services contractor submitted a contact form on our website out of hours, the message a single line long. They had been told by a UK Ministry of Defence (MoD) prime that Cyber Essentials Plus was now a condition of continuing on a contract that was already live. They were a first-time applicant.
By the time we replied the next morning, the contact on their side, an Executive Vice President, had cleared his diary, asked what paperwork he could sign immediately, and was pressing to start the same week. That urgency is the tell. It is the signal of an organisation that has just had a commercial conversation it did not want to have.
The second case is structurally similar at a different scale. A consultancy acting for a large UK transport group came to us for quotes covering ten of the group’s operating companies, with a mixture of first-time Cyber Essentials and CE Plus assessments driven by the parent’s supplier assurance function. Several of the operating companies have never been through the scheme before. A few of them will not pass on the first attempt, and all of them have a deadline that was set by someone else.
Neither organisation came to Cyber Essentials because they had decided independently they wanted to be certified. They came because a customer, or a customer’s customer, made it a condition of the commercial relationship. The Pledge formalises the mechanism that produced both of those conversations.
I have never conducted a Cyber Essentials external vulnerability scan on an applicant and seen it come back entirely clean on the first pass. Not once. There is almost always a cloud service with MFA available and not enabled, or an edge device running firmware superseded by a security release months ago.
None of this is a nation-state threat. It is admin, and admin is what fails you when a customer audit lands on top of it.
Under Cyber Essentials v3.3 (the current version of the scheme, in force since 27 April 2026), a cloud service offering multi-factor authentication (MFA) but not having it enabled is an automatic assessment failure. There is no remediation window within that assessment cycle. This is the most consequential of the v3.3 changes for a first-time applicant.
This sits inside the same window as the Pledge announcement by design rather than by coincidence. IASME, the certification body that administers Cyber Essentials, has been tightening the scheme in response to the same trend Horne referenced at CYBERUK: AI-accelerated vulnerability discovery closing the window between a flaw being public and being exploited. I wrote about the technical side of this two weeks ago after Anthropic’s announcement of their Mythos model, which is the backdrop to what the NCSC and IASME are doing now.
That piece, “Has Anthropic’s Mythos just killed Cyber Essentials?”, covers why the 14-day patching window and the MFA rule matter from a threat perspective. What I am writing about today is why they matter from a commercial one.
For an SME, the two pressures compound. A customer asks for a Cyber Essentials certificate with a short deadline of their own. The application starts, the external scan finds MFA disabled on one cloud service, and under v3.3 that is an automatic fail rather than a finding to remediate during the assessment. The certificate slips by weeks at exactly the moment the customer is asking for it.
Audit every cloud service your organisation accesses with business credentials. Microsoft 365, Google Workspace, Salesforce, Xero, Slack, anything with a login. Where MFA is available and not enabled, enable it. Under v3.3 this is the difference between a Cyber Essentials assessment that passes and one that fails automatically, and it is the single highest-return hour of work available to most UK SMEs on this topic.
Review your patch position honestly. The question is not whether a patching process exists on paper, but when the last critical patch actually reached the last device in your estate, and how you would know. Under v3.3, Cyber Essentials Plus assessments require documented evidence of patch compliance across all devices, not a representative sample.
If your organisation does not currently hold Cyber Essentials certification, start the process now rather than waiting for a customer to ask. The honest answer on timeline depends on two things, and only one of them is within your control. The first is how quickly your team can get the self-assessment done.
If you have a single IT person or outsourced provider who already has a clear picture of the estate, that part can be completed in a matter of days. If the information has to be gathered from several people who each hold a piece of it, three to four weeks is more realistic. The second factor is what the external vulnerability scan finds, and we do not know until we run it.
The uncomfortable conversation we most often have with first-time applicants is that the deadline your customer has given you is not a deadline for getting certified. It is a deadline for starting. If you have MFA switched off on a cloud service, or a firewall running firmware that is six months behind, or devices still running an operating system that went end-of-life last year, those are not issues we can wave through. Under v3.3 the MFA point in particular is an automatic fail within the assessment cycle rather than a finding to be remediated during it.
For a first-time applicant starting from a clean position, two to three weeks from kick-off to certificate is achievable. For a first-time applicant who finds real gaps during the external scan, six to eight weeks is a more honest planning figure, longer if the gaps involve procurement of new hardware or a migration off an unsupported platform. When a prospect tells us their customer needs them certified by next month, the truthful answer is almost always that next month is possible if they start today and nothing breaks, and the month after that is realistic.
The Cyber Resilience Pledge is a voluntary commitment announced by Security Minister Dan Jarvis at CYBERUK 2026 on Wednesday 22 April. Signatory organisations commit to three actions: making cyber security a board-level responsibility (including all board members completing NCSC Cyber Governance Training within three months), signing up to NCSC’s Early Warning service within one month, and auditing Cyber Essentials coverage across their supply chains using a new Cyber Essentials Supplier Check Tool within two months. The Pledge will be formally launched in summer 2026 and signatories will be listed publicly.
The Pledge asks signatory organisations to take a risk-based approach to requiring Cyber Essentials across their supply chains. It does not impose a blanket requirement, and government guidance acknowledges that complex supply chains will take time to audit. In practice, suppliers to signatory organisations should expect to be asked for either Cyber Essentials certification or equivalent assurance that the five Cyber Essentials controls are in place. The more of their supply chain a signatory certifies, the stronger their position against the Pledge commitment.
The Pledge has not yet been formally launched. Baroness Lloyd, the cyber security minister, has written to the CEOs and chairs of over 180 of the UK’s leading businesses encouraging them to sign ahead of the formal summer 2026 launch. The final list of signatories will be published by the government and highlighted as exemplars of good practice.
The most significant change in Cyber Essentials v3.3 is that a cloud service offering multi-factor authentication (MFA) but not having it enabled is an automatic assessment failure. There is no remediation window within the assessment cycle. Version 3.3 also requires Cyber Essentials Plus assessments to provide documented evidence of patch compliance across all devices, rather than accepting a representative sample. Version 3.3 came into force on 27 April 2026 and is the current version of the scheme.
Two to five working days from completion of the self-assessment if the organisation is already compliant with the five controls. Most first-time applicants need longer because the external vulnerability scan surfaces gaps such as MFA not enabled or unpatched edge devices. For a first-time applicant starting from a clean position, two to three weeks from kick-off to certificate is achievable. For a first-time applicant who finds real gaps during the scan, six to eight weeks is a more honest planning figure, longer still if the gaps require procurement of new hardware or a migration off an unsupported platform.
Security Minister Dan Jarvis announced a £90 million investment package at CYBERUK 2026 on 22 April 2026. The funding will be distributed over three years through existing schemes run by the Department for Science, Innovation and Technology and the National Cyber Security Centre, with targeted support for small and medium-sized businesses. The package sits alongside the Cyber Resilience Pledge and will form part of the National Cyber Action Plan to be published in summer 2026.
Safeguard your business with our expert cyber security solutions. Whether you require digital forensics, penetration testing or proactive security assessments, our team is ready to assist. Contact us today to discuss your security needs and take the first step towards a more secure future.
