TL;DR: The UK Cyber Essentials scheme has undergone its most significant overhaul in years. What was once an annual tick-box exercise has become a year-round compliance obligation - with two new automatic-fail rules, stricter evidence requirements, and personal devices now formally in scope. If your IT costs have increased recently, here is exactly why.
_____________________
If you have received a revised quote from your IT provider and found yourself wondering why Cyber Essentials now costs more than it did a couple of years ago, you are not alone. Across Chester, Cheshire, Wrexham, the Wirral, Warrington, North Wales, and the wider North West, businesses are asking the same question. The answer lies in a fundamental change to how the scheme works - not in costs being padded for the sake of it.
Here is a plain-English breakdown of what has changed and what is actually driving those numbers.
The Scheme Has Changed at Its Core
The UK Cyber Essentials scheme is managed by IASME on behalf of the National Cyber Security Centre (NCSC). Across version 3.2 (introduced April 2025) and recent version 3.3 (April 2026) update fundamentally shift the compliance model - from a point-in-time assessment to an ongoing, technically-enforced obligation.
Previously, Cyber Essentials operated as a point-in-time snapshot. Once a year, you completed a self-assessment questionnaire, and you were either compliant on that day or you were not. That model no longer applies.
Three critical changes define the new approach:
A director or board-level individual must now sign a declaration confirming ongoing responsibility for compliance across the entire 12-month certification period - not just at the point of assessment.
Two controls - multi-factor authentication (MFA) for cloud services and applying critical security patches within 14 days - are now designated as automatic fails. Get either of these wrong and you fail the entire assessment, regardless of how well everything else is managed.
Personal devices are now formally in scope. If a staff member's phone can access work email or Microsoft Teams, it must meet the same five technical controls as a company laptop. A written BYOD policy alone is no longer sufficient - technical controls must actually be in place.
This shift from a once-a-year exercise to a continuous, actively-managed obligation is the single biggest driver of increased service costs.
Patching: The 14-Day Auto-Fail Rule
The scheme now requires that high-risk and critical security updates are applied within 14 days of release. This covers operating systems on all in-scope devices, router and firewall firmware, and - crucially - all third-party applications, including browser extensions and associated files.
That last point catches a lot of businesses out. Windows Update handles Microsoft software, but it does not automatically patch tools like Adobe Reader, Google Chrome, Zoom, or the dozens of other applications that staff use every day. At any reasonable business size, manually tracking and applying third-party patches within a 14-day window - and producing documented evidence that you have done so - is simply not achievable without dedicated tooling.
A third-party patch management tool is now a non-negotiable part of any credible Cyber Essentials managed service. It is also what generates the audit evidence needed at annual renewal.
MFA: Automatic Failure If You Get It Wrong
Multi-factor authentication must now be active on all cloud services where it is technically available. That includes Microsoft 365, file storage platforms, email, and any other cloud-based system used to store or process business data. A single cloud service without MFA enabled is enough to fail the entire assessment.
Configuring MFA correctly - across standard user accounts, administrator accounts, and legacy authentication protocols - requires careful setup and ongoing monitoring. It is not a one-off job. User accounts change, new services get added, and legacy protocols have a habit of quietly bypassing modern authentication controls if they are not actively managed.
Personal Devices Are Now Formally In Scope: BYOD and Staff Mobiles are No Longer an Afterthought
This is the change that surprises many businesses, particularly smaller ones. If a personal device - a staff member's own phone, for example - can access organisational data in any form (including work email or Microsoft Teams), it is now formally in scope for Cyber Essentials. It must meet the same five technical controls as any company-owned laptop.
A written bring-your-own-device (BYOD) policy alone is no longer enough. Technical controls must actually be in place.
The solution for most businesses is Mobile Application Management (MAM) - a technology that creates a secure, managed container for work applications on a personal device without touching the personal areas of that device. Work apps such as Outlook, Teams, and OneDrive are managed and protected; personal photos, messages, and data are completely separate and remain private.
Setting up MAM across iOS, Android, and Windows devices - including Apple Business Manager for iPhone enrolment - represents a genuine one-off build cost. Ongoing administration is also required as tokens expire and new devices join the business.
Stricter Evidence Requirements
The assessment process itself has become more rigorous. Assessors now verify that all legal entities within the assessment scope are formally identified, that the systems included genuinely reflect the self-assessment answers, and that any portion of a network claiming to be out of scope is demonstrably isolated.
Perhaps most significantly, documented evidence of patch compliance and vulnerability management must now be available for review. Quarterly reporting is no longer an optional extra - it is a practical requirement for passing annual renewal.
A Quick Cost Reference
Here is how each element of a typical managed Cyber Essentials service maps to the specific scheme change driving it:
Service Element | Why Is It Required |
| MAM setup - iOS and Apple Business Manager | Personal devices now in scope; technical controls mandatory |
| MAM setup - Android devices | Personal devices now in scope; technical controls mandatory |
| Intune portal configuration | Compliance policy enforcement and evidence generation |
| Hybrid Azure AD join | Prerequisite for Intune management and MFA enforcement |
| Third-party patch management tool | Auto-fail rule: critical patches within 14 days |
| Vulnerability scanning tool | Evidence requirement for annual renewal assessment |
| Quarterly compliance reporting | Audit trail required for annual renewal |
| Ongoing managed service | Continuous compliance now required, not point-in-time |
What Happens Without This in Place
The consequences of letting Cyber Essentials compliance slip are worth understanding clearly:
- Automatic failure of the annual assessment on either the MFA or patching auto-fail rules
- Loss of certification, which can affect eligibility for public sector contracts and the ability to renew cyber insurance
- The director declaration creates a documented, personal acknowledgement of responsibility - a failure to maintain controls is a breach of that commitment on the record
- Increased exposure to the most common categories of cyber attack that Cyber Essentials is specifically designed to defend against
The Bottom Line
Cyber Essentials has not become more expensive because the work has become more profitable for IT providers. It has become more expensive because the scheme itself now demands more - more tooling, more evidence, more continuous management.
The businesses we work with across Chester, Cheshire, Wrexham, North Wales, Warrington, the Wirral, and the wider North West that take this seriously are the ones that hold onto their certification, their contracts, and their insurability.
If you have questions about what Cyber Essentials compliance involves for your specific business, the team at Pro-Networks is happy to walk you through it - please contact us here to request a call back, or call us on 01244 535527