Cyber Essentials for MSPs in the UK has become far more than a box-ticking exercise. Since the National Cyber Security Centre (NCSC) made Cyber Essentials mandatory for UK government contracts involving the handling of sensitive data, the scheme has moved from a nice-to-have credential to a commercial necessity for any MSP with public sector ambitions. Yet despite its growing importance, relatively little practical guidance exists for managed service providers navigating the scheme — both for their own certification and when helping clients achieve it. This article covers everything a UK MSP needs to know in 2026. For insights into how compliance and operational efficiency relate, see our article on the real cost of MSP tool sprawl.

What Is Cyber Essentials?

Cyber Essentials is a UK government-backed cybersecurity certification scheme developed by the NCSC and administered through a network of accredited certification bodies. It was introduced in 2014 and has been updated several times since, with the most significant revision — Willow — taking effect in 2022 and continuing to govern assessments in 2026.

The scheme is designed to provide assurance against the most common internet-based cyber threats. It is not a comprehensive security framework in the way that ISO 27001 or NIST CSF are — it does not require formal risk assessments, asset registers, or incident response plans. Instead, it focuses on five technical controls that NCSC data suggests would prevent the majority of opportunistic cyberattacks.

The Five Cyber Essentials Technical Controls

1. Firewalls

Cyber Essentials requires that all devices connected to the internet are protected by a firewall — either a network-level firewall at the perimeter or a software firewall on the device itself. For MSPs managing client environments, this means being able to demonstrate that:

All in-scope devices are behind a properly configured firewall
Default firewall rules have been reviewed and unnecessary services are blocked
Administrative access to firewalls is restricted and protected with strong authentication

The Aerie RMM platform provides real-time visibility into firewall status across the managed estate, making it straightforward to identify devices that fall outside policy.

2. Secure Configuration

All in-scope devices must be configured securely. This means removing or disabling unnecessary software, services, and accounts; changing default passwords; and ensuring that auto-run features are disabled where not required. The Willow update placed renewed emphasis on cloud services, requiring that cloud tenancies are also configured securely — an important consideration for MSPs managing Microsoft 365 or Google Workspace on behalf of clients.

3. User Access Control

Cyber Essentials requires that user accounts are provisioned with the minimum level of privilege necessary for the user's role. Standard user accounts must not have local administrator rights unless there is a documented business reason. Privileged accounts must not be used for day-to-day email and web browsing. Multi-factor authentication is required for all accounts that can access sensitive data or cloud services.

The Aerie Vault credential and access management module helps MSPs enforce and evidence access control policies across client environments without maintaining separate tooling.

4. Malware Protection

All in-scope devices must have malware protection in place. Under the Willow standard, this can be satisfied by: application allowlisting (only approved software can run), sandboxing (suspicious code is executed in an isolated environment), or anti-malware software from a reputable vendor with up-to-date definitions and real-time scanning enabled.

The Aerie Sentry security module covers malware protection policy enforcement and provides the audit trail required for CE evidence packs.

5. Patch Management

All software on in-scope devices must be licensed, supported by the vendor, and patched within fourteen days of a critical or high-severity patch being released. Unsupported operating systems and applications are a CE failure point — a common issue in SME environments where legacy line-of-business software runs on end-of-life Windows versions.

Automated patch management through Aerie RMM addresses this control directly, with configurable patch windows, approval workflows, and compliance reporting built into the platform.

Cyber Essentials vs Cyber Essentials Plus

The scheme has two tiers:

Feature	Cyber Essentials	Cyber Essentials Plus
Assessment type	Self-assessment questionnaire	Independent technical audit
Evidence required	Declarations only	Verified by external assessor
Vulnerability scanning	Not required	Required (external and internal)
Device inspection	Not required	Assessor inspects sample devices
Cost (approximate)	£300–£500	£1,500–£5,000+
Renewal frequency	Annual	Annual
Required for	Most public sector contracts	MOD and higher-assurance contracts

Cyber Essentials (the base tier) is a self-assessed questionnaire. An organisation declares that it meets each of the five controls, and a certification body reviews the submission. There is no independent technical verification.

Cyber Essentials Plus includes everything in the base scheme plus a hands-on technical assessment carried out by an accredited assessor. They will run vulnerability scans, attempt simulated phishing, and inspect a sample of devices to verify that controls are in place as declared. It is significantly more rigorous — and significantly more expensive.

For most SME clients, the base Cyber Essentials is the appropriate starting point. CE Plus is required for MOD supply chain contracts and is increasingly expected by larger enterprises procuring IT services.

Why UK Public Sector Contracts Require It

Since 2014, Cyber Essentials has been mandatory for all UK government contracts that involve handling personal information or providing certain technical products and services. The requirement has expanded progressively. By 2026, a broad range of public sector frameworks — including Crown Commercial Service agreements, NHS Digital supplier requirements, and local authority procurement — require Cyber Essentials as a baseline qualification.

For UK MSPs, this creates a dual requirement: many MSPs need their own CE certification to bid for public sector work, and their public sector clients need help achieving and maintaining their own certification. This positions MSPs well — but only if they have the tooling and processes to deliver CE readiness efficiently.

How MSPs Can Help Clients Achieve Cyber Essentials

An MSP is uniquely positioned to make Cyber Essentials straightforward for clients. The five controls map almost directly onto good managed services hygiene: patch management, access control, endpoint protection, and firewall management are the day-to-day responsibilities of any competent MSP. The challenge is evidence collection and scoping.

Scoping: CE applies to the entire IP address range and all devices that can access data in scope. For a managed client, the MSP needs to define the boundary clearly — including cloud services, BYOD policies, and remote workers. A misconfigured scope is one of the most common reasons clients fail or have to repeat assessments.

Evidence collection: Assessors require documented evidence that controls are in place. Screenshots, configuration exports, patch reports, and access control logs all need to be produced, organised, and retained. Without a unified platform, this typically means manually extracting data from multiple tools.

The Aerie compliance module is built around exactly this workflow. MSPs can map client environments against the CE controls, generate evidence packs automatically, and track remediation tasks through to completion — all from a single interface.

How a Unified Platform Simplifies CE Compliance

The practical challenge of Cyber Essentials for most MSPs is not understanding what is required — it is the operational overhead of gathering evidence across a fragmented toolset. A typical MSP using separate RMM, PSA, endpoint security, and documentation tools must:

Pull patch compliance reports from the RMM
Export firewall configuration data from network management tools
Extract user access reports from Active Directory or the identity provider
Document anti-malware policy status from the endpoint security console
Compile everything into a coherent evidence pack manually

With a unified platform like Aerie — combining RMM, Sentry, Vault, and compliance tooling under one roof — the same evidence can be generated from a single data source, consistently formatted, and always up to date. This turns a process that might take a technician several days into something that can be completed in hours.

Getting Started

For MSPs who have not yet achieved their own Cyber Essentials certification, the NCSC recommends starting with a gap assessment against the five controls. Most certification bodies provide a pre-assessment questionnaire at no cost. The actual certification can typically be completed within four to six weeks once remediation work is done.

For MSPs looking to offer CE readiness as a service to clients, the key is building a repeatable process: a scoping template, a control checklist, an evidence collection workflow, and a remediation tracker. Aerie's platform is designed to support exactly that workflow out of the box.

Frequently Asked Questions

Is Cyber Essentials mandatory for all UK businesses?

No. Cyber Essentials is mandatory only for suppliers bidding for specific UK government contracts — particularly those involving the handling of personal data or the supply of certain technical products. It is not a legal requirement for private sector organisations, though it is increasingly required by large enterprises in their supply chain due diligence processes.

How long does Cyber Essentials certification last?

Cyber Essentials certification is valid for twelve months. Organisations must recertify annually to maintain their status. The renewal assessment checks that controls remain in place and that the scope has not changed significantly.

Can an MSP hold Cyber Essentials on behalf of its clients?

No. Cyber Essentials certification is organisation-specific. An MSP can hold its own CE certification, but each client must hold their own. The MSP's role is to implement and maintain the technical controls and assist with the evidence-gathering process, but the client is the certificate holder.

What happens if a client fails a Cyber Essentials assessment?

A failed assessment results in a remediation report identifying the specific controls that were not met. The client has a period (typically thirty days, depending on the certification body) to remediate and resubmit. Most certification bodies allow one free resubmission; subsequent attempts may incur additional fees.

Does Cyber Essentials cover cloud services like Microsoft 365?

Yes, under the Willow update. Cloud services used by the organisation are in scope for Cyber Essentials if they process or store organisational data. This includes Microsoft 365, Google Workspace, and other SaaS platforms. MSPs must ensure that cloud tenant configurations meet the CE requirements for access control and secure configuration.

What is the difference between a certification body and an assessor?

A certification body is an organisation accredited by IASME (the scheme's governing body) to issue Cyber Essentials certificates. An assessor is an individual qualified to carry out CE Plus technical assessments. Some certification bodies employ their own assessors; others work with approved freelance assessors.

How much does Cyber Essentials cost in 2026?

The base Cyber Essentials self-assessment costs £300–£500 for most UK certification bodies, depending on organisation size. Cyber Essentials Plus, which involves a hands-on technical assessment, typically costs between £1,500 and £5,000 or more, depending on the complexity of the environment and the certification body chosen.