Making security understandable

April 2026

The NCSC Just Told You to Require Cyber Essentials From Your Suppliers

The National Cyber Security Centre has published a supply chain playbook with a message that should change how you think about vendor management: organisations with Cyber Essentials controls are 92% less likely to make cyber insurance claims.

That number alone justifies the effort. But the playbook goes further. It doesn't just recommend Cyber Essentials for your own organisation. It tells you to require it from your suppliers.

The Problem They're Trying to Solve

43% of UK businesses experienced a cyber attack in the past year. Only 14% effectively manage cyber risks from their immediate suppliers. Those two numbers together tell you where the gap is.

Most organisations have some internal security controls. Far fewer extend those expectations to the companies they depend on. Your suppliers have access to your data, your systems, your customers. If they're compromised, you're compromised. The playbook is the NCSC's attempt to close that gap using a mechanism that already exists: Cyber Essentials certification.

Promote vs. Require

The playbook draws a sharp distinction between promoting Cyber Essentials and requiring it. Their words: "if you want to see significant improvements, you need to require it. If you promote it among a small scope of suppliers, your impact will be limited."

One financial services firm mandated Cyber Essentials across 2,800 partner organisations and saw an 80% reduction in security incidents. That's not a theoretical exercise. That's measured impact at scale.

The difference between "we encourage our suppliers to get certified" and "certification is a condition of our contract" is the difference between aspiration and assurance.

The Seven Steps

The playbook lays out a practical framework:

  1. Assess your risks using the NCSC Supply Chain Principles
  2. Profile your suppliers by size, type, and access level
  3. Set requirements making CE mandatory for relevant supplier profiles
  4. Communicate expectations clearly and early
  5. Incentivise adoption through funded vouchers, cyber advisor support, or insurance benefits
  6. Embed into procurement by requiring certification in RfP and RfQ processes
  7. Monitor adoption using tools like IASME's Supplier Check (handles up to 5,000 suppliers)

None of these steps require deep technical expertise. They require a decision at the leadership level and follow-through in procurement.

What This Means for SMEs

If you're an SME, this matters on both sides of the relationship.

As a buyer: you should be asking your suppliers whether they hold Cyber Essentials. Not as a nice-to-have. As a procurement requirement. The playbook gives you the framework to do this systematically rather than ad hoc.

As a supplier: your customers are about to start asking. Large enterprises and public sector organisations already require CE for government contracts. The playbook is designed to push this expectation deeper into the supply chain. If you don't have Cyber Essentials, you're about to start losing bids.

The certification currently costs from £320 +VAT and covers five technical controls: firewalls, secure configuration, access control, malware protection, and patch management. These are baseline hygiene, not advanced security. If you're not meeting them, you have larger problems than certification.

The Insurance Angle

Eligible UK organisations with turnover under £20m that achieve Cyber Essentials receive £25,000 in cyber liability insurance plus 24/7 incident response support. Combined with the 92% reduction in insurance claims, the business case writes itself.

For SMEs without dedicated security teams, this is often the most compelling argument. Not the technical controls. Not the compliance checkbox. The insurance.

Beyond the Certificate

Cyber Essentials is a starting point, not a destination. The five controls it covers don't address supply chain risk assessment, vulnerability management, incident response planning, or security monitoring. But they draw a clear line in the sand to build from. And the data proves they work. And the NCSC is now explicitly telling organisations to push that baseline outward through their supply chains.

The question isn't whether you should get Cyber Essentials. It's whether you should have got it already.

ThreatControl helps organisations achieve Cyber Essentials and build supply chain visibility beyond the certificate. Our Fractional CTO service guides you through certification and supplier risk management, and our Security Suite provides the technical assessment that sits alongside it. Get in touch.

← Back to blog