Cyber Essentials Plus was introduced in 2014 as a voluntary scheme for demonstrating baseline cyber security capability. It is no longer voluntary for organisations that want to participate in government procurement, CNI supply chains, or an increasing range of regulated sector frameworks. The window for treating it as optional has closed.
Cyber Essentials Plus - the independently verified version of the UK government's Cyber Essentials scheme - requires an organisation to demonstrate that five critical cyber security controls are in place and operating effectively: boundary firewalls and internet gateways; secure configuration; user access control; malware protection; and patch management.
These are not sophisticated security controls. They are foundational - the baseline that cyber security professionals regard as the minimum necessary to protect against the most common categories of cyber attack. The scheme was designed to be achievable by organisations of all sizes without specialised security expertise or significant financial investment.
The government made Cyber Essentials mandatory for all suppliers holding government contracts involving the handling of sensitive information or providing certain technical products and services, from October 2014. The scope has expanded consistently since then. As of 2025, Cyber Essentials Plus is effectively required for participation in Crown Commercial Service frameworks, which cover the majority of central government procurement. It is required by MOD supply chain frameworks. It is increasingly required as a condition of participation in NHS and broader public sector procurement.
In regulated CNI sectors, the adoption has accelerated following the government's designation of data centres as CNI in September 2024 and in anticipation of the Cyber Resilience and Infrastructure Protection Bill. Energy sector frameworks, telecommunications contracts, and financial services supplier requirements all increasingly require Cyber Essentials Plus as a threshold criterion.
The practical consequence is that an organisation without Cyber Essentials Plus certification cannot, in practice, participate in most CNI procurement processes. The certification is available to any organisation. The assessment - conducted by an accredited certification body - costs from approximately £2,000 upwards depending on the size and complexity of the organisation. The remediation work required to pass the assessment, if controls are not already in place, varies but is typically manageable.
The time to certification - from initiating the process to receiving the certificate - is typically four to eight weeks. For organisations that do not currently hold the certification, the practical question is not whether to pursue it but how quickly it can be prioritised.
Further Reading
DIRECT™ Intelligence - CNI Insight Feed - © 2026