Cyber Security
Is Cyber Essentials mandatory?
For some contracts, yes. For most businesses, not by law — but it's increasingly the price of doing business with larger clients and insurers. Here's where you actually stand.
Cyber Essentials is a government-backed certification scheme that closes off the most common routes attackers use. It isn't a blanket legal requirement, so for most businesses it isn't mandatory in the strict sense. But 'not legally required' and 'optional in practice' are increasingly two different things.
When it is actually required
Cyber Essentials is mandatory for certain UK government and public-sector contracts — particularly those that involve handling personal or sensitive information. If you bid for that kind of work, you may simply not be eligible without it. Many larger private-sector clients now build the same requirement into their supplier rules.
When it's effectively required
Even where no contract demands it, you'll increasingly meet it from two directions: insurers, who often ask about your security posture (and may price or decline cover accordingly), and clients, who want assurance that working with you doesn't expose them. In a tender, the supplier with certification has an easy advantage over one without.
Why it's worth it regardless
Set the paperwork aside and Cyber Essentials is still the cheapest, fastest way to seriously cut your risk. It's designed to block around 80% of common attacks by getting the fundamentals right — firewalls, updates, access control, malware protection and secure configuration. For most small businesses, that's a far better return than almost anything else you could spend the same money on.
FAQs
Common questions
Who is Cyber Essentials mandatory for?
Most notably, suppliers bidding for certain UK government contracts that involve handling personal or sensitive data. Beyond that, it's increasingly required by larger private clients and asked about by insurers — so for many businesses it's effectively unavoidable even where it isn't strictly required.
What happens if we don't have it?
Nothing automatic — but you may be locked out of contracts that require it, lose tenders to certified competitors, or face tougher questions from insurers. And you miss the simplest, cheapest way to block the most common attacks.
Is it worth getting if no one's asking for it yet?
Yes. It blocks around 80% of common attacks for a modest cost, and it puts you ahead of the curve when a client or insurer does start asking — which, increasingly, they do.
#WEARECOBALT
Ready when you are.
Tell us what's slowing your business down. We'll tell you exactly how we'd fix it — plainly, with no obligation.