Cyber Essentials has value as a baseline, but reaches only 0.3% of UK organisations and says little about governance. This article argues that DSIT’s Cyber Governance Code of Practice must raise the bar, from compliance to accountability, from self-attestation to credible assurance, and from one-off certificates to continuous governance. Cyber Essentials is the floor; governance must be the ceiling.
Contents
Introduction
For the last decade, Cyber Essentials has been the UK’s baseline cyber scheme. It was meant to give organisations a simple, affordable way to demonstrate they had the basics in place: patching, access control, firewalls, malware protection, and secure configuration.
That baseline was useful in its day. But as DSIT now consults on a Cyber Governance Code of Practice (2024), the question becomes unavoidable: is Cyber Essentials still enough?
The answer is no. Governance has overtaken compliance. The conversation has shifted from IT controls to board accountability — and Cyber Essentials, left on its own, is dangerously inadequate.
Cyber Essentials: Value, but Only as a Start
Cyber Essentials has three big limitations:
- Low penetration
- Just 40,000 organisations certified in two years, out of roughly 12 million trading entities. That’s 0.3% coverage. A national scheme that reaches so few cannot credibly claim to raise the baseline.
- Narrow scope
- It focuses on configurations and controls. Useful for IT managers, invisible to boards. It says nothing about risk appetite, culture, strategy, or supply chains.
- Weak assurance
- Self-attestation (except Cyber Essentials Plus) is easily gamed. It creates certificates that look reassuring but deliver little resilience.
Cyber Essentials was never designed to be a governance framework. Treating it as such is a category error.
Why Governance Matters Now
Cyber is no longer just about firewalls and patching. It is:
- Financially material: breaches cost millions, destroy shareholder value, and bankrupt SMEs.
- Strategically material: resilience determines whether organisations can compete, win contracts, and retain trust.
- Systemically material: one weak link in a supply chain can compromise entire sectors.
That is why cyber now belongs in the same governance bracket as financial reporting, health and safety, and ESG. Boards cannot outsource it. Directors must govern it.
The proposed Cyber Governance Code is the next rung of the ladder: embedding cyber into risk, strategy, people, incident planning, and assurance. This is not IT hygiene; it is corporate survival.
Raising the Bar Beyond Cyber Essentials
To move from compliance to governance, three shifts are needed:
- From compliance to accountability
- Technical controls are necessary, but they are not governance. Directors must be accountable for resilience, not just for whether the IT department ticks the boxes.
- From self-attestation to credible assurance
- Governance needs external validation, like audited accounts. Without credible assurance, boards, regulators, and markets cannot trust the claims.
- From one-off certification to continuous governance
- Cyber Essentials is annual. Governance is quarterly reporting, ongoing risk assessment, continuous cultural leadership.
The Role of Cyber Essentials Going Forward
Cyber Essentials still has a role — but only as the floor, not the ceiling:
- A simple entry point for SMEs.
- A baseline requirement in supply chains.
- A feeder into governance obligations for larger organisations.
But if boards hide behind Cyber Essentials as if it were sufficient governance, the UK will remain dangerously exposed.
Conclusion
Cyber Essentials was right for its time. But in 2024, the challenges are bigger, faster, and more systemic. DSIT’s Cyber Governance Code must raise the bar: from IT hygiene to board accountability, from checklists to strategy, from annual certificates to continuous governance.
Cyber Essentials is the starting point. Governance is the destination. Boards must now climb the ladder.
References
- Before the DSIT Cyber Governance Code of Practice: What the Consultation Proposed
- Directors and Cyber Governance: My Practitioner’s Response to DSIT’s Consultation
- From Practitioner to Professional Body: The IET Response on Cyber Governance
- Directors and Cyber Responsibility: Towards a New Company Law
- Why Self-Attestation Doesn’t Work: Lessons for the DSIT Code
- From Cyber Essentials to Corporate Governance: Raising the Bar
- Incentives, Not Just Obligations: Driving Real Uptake of Cyber Governance
- Professionalism and Accountability: Why Cyber Needs Recognition like Law and Engineering
- Cyber Governance at a Crossroads: Responding to DSIT’s Consultation
- Cyber Governance Code of Practice 2024: What Government Finally Published
- Did We Influence DSIT’s Cyber Governance Code of Practice?
- From Consultation to Code Retrospective: Did We Influence the Outcome of the Cyber Governance Code of Practice
- Cyber Governance Code of Practice – published 8th April 2025