Certification

Cyber Essentials for supply chain contracts: how to certify at speed and stay compliant

The Cyber Resilience Pledge means major buyers now require Cyber Essentials from their suppliers. How to certify fast, meet the 14-day patching rule and stay compliant all year, without a large security team or budget.

By the Threat Protect editorial team5 min readUpdated 9 July 2026

In July 2026, more than 60 of Britain's biggest businesses signed the government's Cyber Resilience Pledge. If you supply any of them, one line in that pledge changes things for you: they have committed to require Cyber Essentials across their supply chains.

In plain terms, Cyber Essentials is moving from a nice-to-have to a condition of doing business. This guide explains why your customers are asking for it, whether you need Cyber Essentials or Cyber Essentials Plus, what the 14-day patching rule means, and how to certify quickly and stay compliant all year without a large security team or budget.

Why your customers are suddenly asking for Cyber Essentials

The Cyber Resilience Pledge is a voluntary government commitment aimed at large organisations. Its third action asks signatories to take a risk-based approach to requiring Cyber Essentials from their suppliers. When a major buyer signs, that requirement does not stop at their own perimeter. It flows down through every tier of their supplier base.

This is reinforced by the forthcoming Cyber Security and Resilience Bill, which pushes security obligations further down supply chains. So even if your business is too small to be regulated directly, the requirement can still reach you through your customers' contracts, tenders and renewals.

Not sure whether your contracts will require it? The Cyber Essentials checker is a quick way to see where you stand, or book a call and we will tell you which level your contracts need.

Cyber Essentials or Cyber Essentials Plus: which will you be asked for?

There are two levels, and which one you are asked for depends on how a buyer rates your risk.

Cyber Essentials is a verified self-assessment against five core technical controls. This is the baseline most buyers ask for.

Cyber Essentials Plus covers the same controls, plus an independent technical audit by a licensed assessor. This is usually required when a supplier can access a customer's sensitive data, systems or critical services.

Larger buyers take a risk-based approach: Cyber Essentials across their general supplier base, and Cyber Essentials Plus for higher-risk suppliers. So it pays to know which level a contract needs before you start.

When a major UK wealth manager required Cyber Essentials Plus across its 2,800-firm partner network, it reported around an 80% fall in cyber security incidents, a figure cited by the government in the Cyber Resilience Pledge Information Pack.

If a buyer asks for Plus, preparing for Cyber Essentials Plus sets out exactly what the hands-on audit checks and where firms most often fail.

The 14-day patching rule, and why it catches SMEs out

Cyber Essentials expects high-risk and critical security updates to be applied within 14 days of release. It sounds simple, but for a busy team spread across laptops, mobiles and home working, keeping every device patched inside that window is one of the most common reasons businesses fail.

Meeting it has traditionally meant either constant manual effort or an expensive vulnerability management programme. Neither is realistic for most small and medium-sized businesses.

How to get Cyber Essentials at speed

You do not need to slow your sales pipeline while you certify. A fast, fully supported route to Cyber Essentials, with expert guidance at every step and unlimited submissions until you pass, gets you to a valid certificate quickly. Where a buyer simply needs the badge, a certificate-only route means you are not asked to buy more than the contract requires.

The certification is delivered through certified assessment partners, with Threat Protect as your single point of accountability: we scope it, guide you through each control and manage the submission. Everything is tracked in a single online portal, so your certification status, device health, patch status and the evidence buyers and auditors ask for all sit in one place, backed by unlimited support.

Staying compliant all year, without a full vulnerability management programme

A certificate on its own is not enough anymore. Buyers increasingly want evidence that your controls hold all year, not just on audit day. This is where a lightweight, always-on agent earns its place.

  • It runs quietly on your devices and continuously surfaces vulnerabilities and out-of-date software.
  • It automatically updates common third-party applications and guides staff to fix issues in a couple of clicks.
  • The result: you can see and close patching gaps inside the 14-day window, in view rather than by guesswork.

The key point for a smaller business: you get the vulnerability visibility and patching action Cyber Essentials requires, without the cost and complexity of standing up a full vulnerability management programme. It is right-sized for SMEs and supply-chain compliance.

Who should act now

  • Suppliers who need Cyber Essentials to win or keep contracts.
  • SMEs without a dedicated security team or the budget for enterprise tools.
  • Any business that wants to certify once and stay compliant, rather than scramble each year.

If Cyber Essentials is becoming a condition of your contracts, the fastest way forward is to check where you stand and close the gaps. See the Cyber Essentials service, try the Cyber Essentials checker, or book a call and we will tell you which certification your contracts need and how quickly we can get you there.

Further reading

Found this useful?

Share it on LinkedIn so the right people in your network see it.

Share on LinkedIn

Frequently asked

Questions readers ask before getting in touch.

  • A voluntary UK government commitment, launched on 7 July 2026, in which more than 60 major organisations agreed to strengthen their cyber defences. One of its three actions is to require Cyber Essentials across their supply chains.

Talk to us

Want to talk through how this applies to your company?

A 30-minute call with a senior advisor. No pitch. We will read your situation against what is in this piece and tell you the smallest sensible next step.