In my last article I wrote about the UK's Cyber Security and Resilience Bill and why Channel Islands businesses shouldn't assume it doesn't apply to them. The response was great — thank you for the messages.
But several people asked the same question: "Where do we even start?"
The answer, in most cases, is the same place the UK Government has been pointing businesses for over a decade: Cyber Essentials.
And with significant updates landing in April 2026, now is exactly the right time to understand what it is, why it matters, and why — if you're a Guernsey or Channel Islands business — not having it could quietly be costing you work you don't even know you're losing.
So What Is Cyber Essentials?
Cyber Essentials is a UK Government-backed certification scheme, managed by IASME under licence from the National Cyber Security Centre (NCSC). It covers five technical controls that together address the attack vectors used in the majority of common cyber attacks: boundary firewalls and internet gateways, secure configuration, access control, malware protection, and patch management.
It comes in two levels. The basic certification is a self-assessed questionnaire, independently verified by an accredited certification body. Cyber Essentials Plus covers the same five controls but requires independent technical verification by an accredited assessor — running vulnerability scans, checking patch compliance, attempting to install unauthorised software, verifying MFA enforcement, and testing firewall configuration.
It's not an exhaustive security framework. It won't make you impenetrable. But that's not the point. The point is that it addresses the fundamentals — the things that stop the vast majority of opportunistic attacks that are targeting businesses like yours right now.
What's Changing in April 2026?
On 12 February 2026, IASME published a major update outlining the changes to the Cyber Essentials scheme, which come into effect on 27 April 2026. A new question set — named Danzell — replaces the current Willow set. These updates represent a significant revision of the scheme, aimed at improving clarity, strengthening assurance and ensuring greater consistency across assessments.
The headline changes are:
MFA is now an automatic fail if you don't have it. This is the big one. MFA is already required by Cyber Essentials, however the expectation has changed, so that where cloud services have MFA available — whether free, included in a cloud service, connected through another service, or there is a fee-paying option — and it is not implemented, this will result in an automatic failure. Think about what that means in practice: Microsoft 365, Google Workspace, Xero, your CRM, your cloud storage. If MFA is available and you haven't switched it on for every user, you fail. No second chances within that cycle.
Right now, only 40% of UK businesses use MFA on their email. That means the majority would fail this requirement today.
Patching deadlines are now an automatic fail too. Two new auto-fail questions require all high-risk and critical security updates to be installed within 14 days of release. This applies to operating systems, router and firewall firmware, applications, and browser extensions. No exceptions for change boards. No risk acceptance workarounds. If a critical patch has been available for more than two weeks and you have not applied it, you fail.
Cloud services can no longer be excluded from scope. For the first time, Cyber Essentials includes a formal definition of "cloud service" and states that cloud services cannot be excluded from scope. If your business runs on cloud tools — and most do — they're now part of the assessment.
End-of-life software is an automatic failure. Any device running Windows 10 after October 2025, or other end-of-life software, will cause an automatic failure. If you're still running Windows 10 anywhere in your business, that needs addressing now.
These aren't cosmetic changes. They introduce tougher assessment standards, clearer scoping rules and more explicit technical expectations, particularly around identity security, patching and resilience against ransomware.
"But Aren't We Already Doing All This?"
Maybe. But here's what the data says: only 3% of UK businesses currently hold Cyber Essentials certification. Three percent. That means 97% of businesses either haven't engaged with the scheme at all, or have decided — consciously or by default — that it isn't for them.
And for most of that 97%, it's not because they've assessed themselves and concluded they're already secure. It's because certification has never been demanded of them. Yet.
The question to ask yourself is honest and simple: Could you prove, right now, to a client or a regulator, that MFA is enforced across every cloud service your business uses? That critical patches are being applied within 14 days, every time? That there are no devices in your network running unsupported software?
If the answer is "I think so" or "our IT handles that" — that's not the same as being able to demonstrate it.
Why Wouldn't a Business Certify?
It's worth addressing this directly, because the reasons businesses give for not certifying rarely hold up under scrutiny.
"It's too expensive." The basic Cyber Essentials certification starts from a few hundred pounds — considerably less than a single day of legal or PR costs following a breach. Businesses with Cyber Essentials certification file 92% fewer insurance claims than those without. Many cyber insurers now offer reduced premiums for certified businesses.
"It's too complicated." The basic certification is a self-assessment questionnaire. With proper preparation it's achievable by most businesses in a matter of weeks. The complexity argument is usually a proxy for "we haven't prioritised it."
"We're too small to be a target." Attackers increasingly target smaller suppliers to reach larger organisations through trusted relationships. Supply chain cyber attacks accounted for 15% of UK breaches in 2025. Small businesses are not too small to be attacked — they are specifically targeted because they're assumed to have weaker defences.
"We haven't been asked for it yet." This is perhaps the most dangerous reason. Because the moment you are asked — by a new client, in a tender, or following an incident — is not the moment you want to be scrambling to get certified.
The Business Case: What You Could Be Losing
Here's the part that tends to focus minds.
Cyber Essentials became a mandatory requirement for certain UK Government contracts from 1st October 2014, and this requirement was extended to include UK MOD contracts from 1st January 2016. Procurement Policy Note 014 further updated Cyber Essentials requirements for UK Government and UK MOD contracts from 24th February 2025.
All UK government contracts involving personal or sensitive data require Cyber Essentials certification. This requirement is cascading to government supply chains.
And it's not just government. Increasingly, public-sector contracts require Cyber Essentials Plus certification, and private-sector supply chains follow the same model. 48% of Cyber Essentials-certified organisations report their own suppliers are increasingly required to hold certification — creating a cascade through supply chains.
In plain terms: if a UK-regulated business is your client or wants to be your client, there is a growing probability they will ask you for evidence of Cyber Essentials certification. If you can't provide it, you may not lose the conversation immediately — but you will lose tenders, renewals, and supplier approvals quietly, without anyone telling you why.
How Cyber Essentials Fits Into the Bigger Picture
In my last article I talked about the Cyber Security and Resilience Bill and the direction of travel for UK cyber regulation. Cyber Essentials is where that journey begins.
The April 2026 Cyber Essentials changes are designed to strengthen cyber resilience across UK organisations, improve consistency and reduce interpretation in assessments, prevent "last-minute fixes" or selective compliance, and reinforce Cyber Essentials as a trusted supply chain standard.
Think of it as a ladder. Cyber Essentials is the first rung — the baseline that says "we have the fundamentals in place." Cyber Essentials Plus is the second rung, with independent verification. Beyond that sits ISO 27001, SOC 2, and sector-specific frameworks. The Cyber Security and Resilience Bill, when it lands, will effectively demand that in-scope organisations and their supply chains are operating at least at this level.
For organisations working with government, regulated industries and sensitive supply chains, Cyber Essentials Plus is increasingly seen as a strong signal of operational security maturity.
Getting certified doesn't complete your cyber resilience journey. But not getting certified means you haven't started it.
What Does This Mean for Guernsey and Channel Islands Businesses?
Whilst UK legislation doesn't automatically extend to Guernsey, the commercial realities do.
The Channel Islands financial services sector is built on client relationships with UK-regulated institutions. Law firms, fund administrators, fiduciary businesses, accountants, IT providers, HR consultancies — the web of professional services here is deeply intertwined with UK-headquartered clients and counterparties.
Those clients are increasingly required — by regulation, by insurers, by their own boards — to assess the cyber posture of their suppliers. Cyber Essentials is the most visible, verifiable signal of that posture. With 55,995 Cyber Essentials certifications issued in 2025, the scheme has become the de facto standard for demonstrating baseline cybersecurity to government and private sector clients alike.
There's also something worth noting about the competitive landscape closer to home. The GFSC's cyber security rules already require licensed entities to demonstrate appropriate cyber controls. Cyber Essentials aligns directly with those expectations. For businesses that are not GFSC-regulated but serve those that are — IT providers, outsourced support functions, professional advisers — certification is a natural and credible way to demonstrate that you meet the bar your clients are held to.
That number is expected to grow as supply chain requirements tighten and the Cyber Security and Resilience Bill progresses through Parliament. For professional services firms handling sensitive client data, the question is not whether you need certification. It is whether you can afford to be in the 97% that do not have it.
What Should You Do Before April 27th?
The April 2026 changes apply to all assessment accounts created after that date. If you want to certify under the current (less stringent) Willow question set, you need to open your assessment account before 27 April 2026.
Before you do, work through these questions:
- Is MFA enabled for every user on every cloud service your business uses — Microsoft 365, Google Workspace, accounting software, CRM, everything?
- Are critical security patches being applied within 14 days, and can you prove it?
- Is anyone in your organisation still running Windows 10 or other end-of-life software?
- Do you know what's in scope for your certification — and can you justify what you've excluded?
If there are gaps, you have a short window to close them. The good news is that these are not complex, expensive problems to fix. They are operational habits — and the April deadline is as good a forcing function as any to get them right.
The Bottom Line
Cyber Essentials won't make your business invincible. But it will make it demonstrably more secure than the 97% of businesses that don't have it. It will open doors with UK clients and supply chains that are increasingly closing to uncertified suppliers. It will reduce your insurance premiums. It will give your team, your clients, and your board a credible, verifiable answer to the question: "How do we know you're taking cyber security seriously?"
In the Channel Islands, where reputation is currency, that question is only going to be asked more often.
Following on from my last article on the UK Cyber Security and Resilience Bill — I'd love to hear whether Cyber Essentials is on your radar as a Channel Islands business owner. Are you already certified? Thinking about it? Drop a comment or get in touch.