Laws & RegulationsCyber Essentials (UK)
In ForceGovernment supply chain, All sectors (voluntary), Healthcare (NHS)
Cyber Essentials Scheme
Also known as: Cyber Essentials (UK)
UK government-backed certification scheme helping organizations protect against common cyber threats. Mandatory for UK government contracts involving sensitive information. Covers 5 technical controls: firewalls, secure configuration, user access control, malware protection, and patch management.
Jurisdiction
United Kingdom
Regulator
—
Effective
6/1/2014
Sector
Government supply chain, All sectors (voluntary), Healthcare (NHS)
Full Text / Summary
The UK's Cyber Essentials Scheme, launched in 2014 and updated with Cyber Essentials Plus, is a government-backed certification scheme that helps organizations protect against the most common cyber threats. While not legally mandatory for most organizations, Cyber Essentials certification is required for all suppliers bidding for UK government contracts involving handling personal information or providing certain technical products and services. The Scheme covers five technical controls: boundary firewalls and internet gateways; secure configuration; access control; malware protection; and patch management. Cyber Essentials (self-assessment) and Cyber Essentials Plus (independently verified) provide two levels of certification. The 2022 update introduced significant changes including requirements for cloud services, home working, and multi-factor authentication. The National Cyber Security Centre (NCSC) oversees the scheme and updates the requirements annually. For organizations in regulated sectors, Cyber Essentials certification is increasingly referenced by regulators as evidence of baseline cybersecurity hygiene.