Cyber Essentials Plus (CE+) is the UK government-backed cyber certification scheme that has become a de-facto baseline for supplier-onboarding, insurance discounts, and panel-firm appointments. The 2026 standard (Annex A version, last updated April 2025) introduces clearer rules on cloud + BYOD. This is the practical UK buyer's guide.
What CE+ actually requires
Cyber Essentials covers 5 control families: firewalls + boundary devices, secure configuration, user access control, malware protection, security update management.
Cyber Essentials Plus adds external + internal vulnerability testing by an NCSC-approved assessor body — verifying the controls are actually implemented (not just claimed).
Certification valid for 12 months. Annual recertification required.
When CE+ is mandatory
Most UK central government contracts require CE+ (some require ISO 27001 or NCSC CAF additionally).
NHS supply chain via DSP Toolkit increasingly cross-references CE+.
MOD supply chain — required for certain bid tiers.
Solicitors' Indemnity Insurance — increasingly bundled or discounted for CE+ holders.
Panel firm appointments in legal + financial services often request CE+ during procurement.
The 2026 standard changes
Cloud services in scope — IaaS workloads owned by the organisation are explicitly in scope. SaaS apps mostly excluded but admin access to SaaS is in scope.
BYOD clarification — BYO devices accessing organisational data are in scope. Most organisations now require enrolled / MDM-managed devices to meet the standard.
MFA on all internet-facing services — including cloud-based admin interfaces.
Software currency — all software (not just OS) must be in-support. End-of-support software must be removed or fenced off.
Common gaps UK firms have
BYOD without MDM — typical gap for SMB. Microsoft Intune or Jamf Pro resolves.
Default admin accounts on network appliances — firewalls, switches, printers, IoT.
Unsupported software (Windows 7, Server 2012, old MySQL versions) still in production.
Backup that isn't immutable — backup hit by ransomware = no recovery. Immutable backup is now expected.
No documented incident response process.
The Servnet 8-week path to CE+
Weeks 1-2: gap analysis against current state.
Weeks 3-6: remediation — MFA rollout, MDM deployment, vulnerability patching, default-credential change, backup immutability.
Week 7: mock external + internal vulnerability scan.
Week 8: book CE+ assessor — certificate issued typically 2-4 weeks after assessment.
What Servnet does
Servnet runs CE+ readiness as a defined practice. We don't issue the certificate (that's the NCSC-approved assessor body) but we run the gap analysis, deploy missing controls, and support your assessor relationship.
Typical UK engagement: 8-10 weeks end-to-end, fixed-fee, ~£8-25k depending on environment complexity (excluding remediation hardware / software).