Decline in UK Cyber Essentials Certification Numbers – Infosecurity Magazine

Over a decade after the establishment of the UK’s Cyber Essentials scheme, the government recognizes that the current number of certified UK organizations falls significantly short of expectations. Approximately 35,000 businesses in the UK hold Cyber Essentials certification, as reported by the National Cyber Security Centre (NCSC).

During a recent press conference at CYBERUK 2025 in Manchester, Jonathan Ellison, NCSC Director for National Resilience, expressed concern about the low adoption rates, noting that this figure is far from the 5.5 million businesses operating in the UK.

Despite this lack of uptake, a government report from October 2024 highlighted the positive influence Cyber Essentials has had on the security posture of participating organizations. “Cyber Essentials works, we know it works. It’s an evidence-based intervention that we know can make organizations more resilient,” Ellison commented.

Ellison emphasized that enhancing market penetration of the Cyber Essentials scheme is a “big priority” for the UK government in the upcoming year. To incentivize greater participation, compliance with Cyber Essentials has become a prerequisite for many government contracts, particularly those involving sensitive information. Additionally, the government is considering expanding funding for the scheme in specific sectors.

A crucial aspect of increasing participation involves simplifying the compliance process for small businesses. Ellison remarked, “One of the things we’re going to try to do over the next year or so is build that pathway through to Cyber Essentials – how do we work in conjunction with other parts of the economy like banks and insurers to help that journey to Cyber Essentials.”

The Cyber Essentials scheme, launched in 2014, outlines fundamental controls that organizations should implement to mitigate risks associated with common internet-based threats. There are two levels of Cyber Essentials certification:

1. Cyber Essentials: This is a basic, verified self-assessment option focused on five key technical control areas: firewalls, secure segmentation, user access control, malware protection, and security update management.

2. Cyber Essentials Plus: This tier mirrors the five technical control areas of the basic certification but also includes independent testing and sampling of the organization’s infrastructure to validate compliance.

Enhanced participation in the Cyber Essentials scheme is essential for improving the overall cybersecurity landscape within the UK, ensuring organizations are better equipped to defend against evolving threats.