It usually arrives as an email. A new client wants to send you a brief, or a long-standing one is updating their supplier list, and somewhere in the message is a sentence that wasn't there last year: "Please confirm your Cyber Essentials status."
For a lot of creative businesses, that's the first time the question becomes real. You know roughly what it is. You probably know it's a good idea. But until the work depends on it, it sits on the "we should look into that" list with a dozen other things.
This is a guide for the moment that question turns up. What Cyber Essentials actually asks for, what changed in April 2026, and how to find out where you sit without committing to anything.
What Cyber Essentials Actually Is
Cyber Essentials is the UK government's baseline cyber security standard, run by the National Cyber Security Centre's delivery partner IASME. It's deliberately practical, not a sprawling framework, just five technical controls that block the most common attacks hitting UK businesses.
There are two levels. Standard Cyber Essentials is a verified self-assessment: you complete a questionnaire, an accredited assessor reviews your answers, and IASME issues the certificate. Cyber Essentials Plus is the same five controls, but with hands-on technical testing by an independent assessor. Plus is the higher bar and is increasingly required for government work, broadcaster supply chains, and content security frameworks like TPN+.
Certification lasts twelve months. Standard Cyber Essentials starts at £320+VAT for smaller organisations. Both versions are scoped against your whole organisation by default, and any UK business under £20m turnover that certifies whole-organisation also gets free £25,000 cyber-liability insurance through IASME, useful even if no client ever asks you for the certificate.
The Five Controls, in Plain English
Every Cyber Essentials assessment is graded against the same five technical control families. The control names haven't changed for years. What's changed is how strictly each one is enforced.
Firewalls and Routers
Every device needs a properly configured firewall sitting between it and the internet. For laptops working from home or coffee shops, that means the firewall on the device itself must be on and configured, not relying on the office network to do the job.
Secure Configuration
Devices, servers, and cloud services must be set up to a known-good baseline. Default passwords changed, unnecessary accounts and software removed, auto-run features locked down. Out-of-the-box defaults are not enough.
User Access Control
Standard users shouldn't have admin rights. Every cloud service that offers MFA must have it switched on. Leavers must lose access promptly. This is the control that catches most studios out, and the one that's now strictest in the 2026 update.
Malware Protection
Every Mac and PC needs active endpoint protection. Anti-malware, threat detection, and a way for IT to see what's actually happening across the fleet. Built-in operating system protection counts, but it has to be configured and verifiable, not just present.
Security Update Management
Critical and high-severity patches must be applied within 14 days of release, across operating systems, browsers, and any third-party application that processes business data. Devices running unsupported software (old macOS, end-of-life apps) are an automatic problem.
Plus: Cloud Services and BYOD
Every cloud service that holds business data is in scope. Microsoft 365, Google Workspace, Adobe, Frame.io, Dropbox, project tools. Personal devices that access company email or files are also in scope, unless you can technically prove they can't hold company data.
What Changed in April 2026
The five controls themselves haven't changed. What's changed is the v3.3 question set (called Danzell) which applies to every Cyber Essentials application registered after 27 April 2026. The headline change is enforcement: several controls that used to be soft warnings are now automatic failures.
v3.3: three changes that catch creative businesses out
MFA is now an automatic-fail control. If a cloud service offers MFA, free, included, or paid, and you haven't enabled it on every account, the assessment fails. Not "fails with a warning." Fails. This applies to admin and standard user accounts.
Cloud services are firmly in scope. Every cloud platform that processes business data counts: M365, Google Workspace, your CRM, Adobe Creative Cloud, Frame.io, project management tools, AI platforms. If client work touches it, it's in scope.
Passwordless authentication is now explicitly accepted. Passkeys, Touch ID, hardware tokens are now formally recognised as a stronger alternative to passwords. Worth knowing if you're already running JumpCloud Go or similar biometric sign-on.
If your assessment account was created before 27 April, you have a six-month grace window to certify under the previous version. After that, everyone is on v3.3. The practical advice: don't try to scrape through on the old standard if you'd struggle to meet the new one a few months later.
Where Creative Businesses Usually Trip Up
Cyber Essentials isn't designed to fail anyone. It's designed to make sure the basics are actually in place. There's a fairly consistent set of gaps we see when we run gap analyses for creative studios, and they're rarely the things people worry about.
MFA is on for admins, not everyone. Most studios switched on MFA for the IT manager and the directors. Designers, freelancers, and project managers often slipped through. Under v3.3, that's a fail.
Leavers still have access weeks later. When someone leaves, their device is reclaimed but their cloud accounts linger. Adobe, Frame.io, Slack, the project tool the freelancer set up two years ago. This is the single hardest control to evidence without proper identity management.
Personal Macs are doing client work. A founder's personal MacBook, a freelancer's machine, a partner's iPad, all touching company email and project files. Each one is in scope under BYOD rules and needs the same controls as a managed device, or it has to be removed from the assessment scope entirely.
Patching is "mostly done." Operating systems are usually fine because they update themselves. The gap is third-party apps. Adobe versions on different release tracks, browsers two majors behind, plug-ins last touched in 2023. The 14-day window is unforgiving.
Old software is still in production. A render tool that only runs on macOS Monterey. A legacy plug-in from a discontinued vendor. An old Windows machine driving a plotter. Anything unsupported is in scope and counts against you unless it's properly segmented off the network.
How to Know Where You Actually Sit
Most creative studios are closer to certification than they think. The systems are mostly there. It's the visibility, across every device, every cloud account, every supplier, that's missing. You don't know what you don't know.
Rather than guess, the most useful first step is usually a structured assessment: a set of questions in plain English that maps your current setup against the Cyber Essentials controls, gives you a score, and tells you exactly which gaps to close.
Free Assessment: how secure is your business, really?
Our free 15-minute security assessment scores your current posture against Cyber Essentials and gives you a personalised report. What's in place, what's missing, and what to do about each gap. Plain English, no IT knowledge required, results delivered immediately.
Working in production, post-production, or AV? You can also tick the box to flag where your answers map to TPN+ Technical and Organisational Security controls used in the MPA Content Security Best Practices.
Takes 10 to 15 minutes. No obligation. Personalised report.
Two Ways to Get Certified
Once you know where the gaps are, there are broadly two routes. The right one depends on whether you have someone in-house who can own the remediation work, or whether you'd rather it just got done.
DIY with expert support
We do the gap analysis. You do the work. We run a structured Cyber Essentials gap analysis against your current environment, give you a clear remediation plan, and stay available to answer questions as you work through it. You handle the implementation. We sense-check the answers before you submit.
Fully managed certification
We close the gaps. You get certified. Cyber Essentials is built into our Business-PRO plan: gap analysis, remediation, annual certification assistance, and the ongoing controls (MFA, patching, endpoint protection, identity management) that keep you compliant year-round. Most managed clients certify first time.
Already on Business-PRO? Your plan already covers the technical controls. If you haven't certified yet, or you let it lapse, talk to your account manager. Annual Cyber Essentials assistance is included.
Cyber Essentials isn't the destination. It's the floor. But for creative businesses winning enterprise clients, applying for public-sector work, or sitting on the supplier lists of broadcasters and major studios, that floor is increasingly where the conversation starts. Knowing exactly where you sit against it, before a client asks, is the difference between answering an email confidently and scrambling for two weeks.
Find out where you stand in 15 minutes
Take our free security assessment and get a personalised report mapped against Cyber Essentials. No commitment, no jargon, no sales pitch. Just a clear picture of where you are.
Or call us on 0800 007 3040, or email hello@rubicon-it.co.uk.