If you run a UK small business, you’ve probably noticed the question changed in the last year or two. Where customers used to ask about ISO 27001 only if you were doing big enterprise work, more procurement teams now ask about something called Cyber Essentials. Sometimes it’s a checkbox in a tender. Sometimes it’s a clause that appeared in your renewal contract without you noticing. Sometimes it’s the larger client who emailed and asked if you can send your certificate by the end of next week.
This post is the data behind that shift. What the latest UK government numbers show, why SMEs are being asked about Cyber Essentials specifically, and what’s likely to happen next. If you’re trying to work out whether this is a real thing or another consultancy upsell, the numbers will help.
What the new data says
The Department for Science, Innovation and Technology (DSIT) published its Cyber Security Breaches Survey 2025/2026 on 30 April 2026. It’s the eleventh annual edition and the most authoritative read on UK cyber resilience.
The headline figure: 43% of UK businesses experienced a cyber breach or attack in the last 12 months. That extrapolates to approximately 612,000 businesses, plus around 57,000 charities.
But the headline figure obscures the size pattern. Breach rates climb sharply with business size: 42% of micro businesses (1 to 9 employees), 46% of small (10 to 49), 65% of medium (50 to 249), and 69% of large (250+).
That doesn’t mean larger businesses are simply “worse” at cyber security. Larger organisations have more staff, more accounts, more suppliers, more systems, and more communication channels. They also have better detection. Smaller organisations may have fewer moving parts, but they may also be less likely to spot or formally record what is happening. The implication is uncomfortable: the 42% figure for micro businesses is probably an undercount of actual incidents.
Phishing dominates the attack mix. 38% of all UK businesses experienced phishing in the last 12 months, making it the most prevalent attack type by a wide margin. Impersonation attacks affected 12%. Ransomware around 1%.
The phishing figure is the one most worth internalising. It means more than one in three UK businesses had at least one phishing incident reach a person in the last year. Cyber Essentials doesn’t directly stop every phishing email, but its controls (user access control, multi-factor authentication on cloud services, secure configuration) make a phishing-driven breach significantly harder to escalate into something more damaging. Awareness about phishing is, genuinely, the first line of defence for every UK SME.
On cost, the data tells a bimodal story. The median cost of the most disruptive breach was £0 because most successful attacks (typically phishing attempts) get stopped at the email gateway with no measurable cost. But the picture shifts at the top end: the costliest 5% of incidents reached £4,000 for SMEs and £10,000 for medium and large businesses. Sixteen percent of breached businesses reported some form of negative business outcome including loss of files, downtime, reputational damage, or financial loss.
For context, 81% of UK businesses are micro businesses (under 10 employees) and 16% are small. The DSIT data is averaged across all sizes, so the median small business is likely to escape with a smaller bill, but a smaller bill on no preparation is still worse than no bill on preparation.
Why this is showing up in your tender packs
Cyber Essentials has been a UK government procurement requirement since 1 October 2014, when Procurement Policy Note 09/14 made it mandatory for central government contracts handling personal information or providing technical services. PPN 09/14 was replaced by PPN 09/23 in October 2023, then by PPN 014 on 24 February 2025, which brought it into alignment with the Procurement Act 2023.
What this means practically: any central government department, executive agency, non-departmental public body, or NHS body procuring a contract that touches sensitive data, ICT services, or personal information must require suppliers to hold Cyber Essentials (or Cyber Essentials Plus, for higher-risk contracts) before award. Not after award. Before. PPN 014 specifically requires evidence of certification at the contract award stage.
This requirement has been quietly cascading down supply chains for the past decade. IASME report that over 200,000 Cyber Essentials certifications have been issued since the scheme launched in 2014, and approximately 20,000 organisations hold a valid certificate at any given time (CE expires after 12 months and must be renewed). Adoption is growing visibly. The DSIT 2025/2026 survey reported 5% of UK businesses now hold Cyber Essentials certification, up from 3% the year before, with the increase driven primarily by small and large businesses. Out of more than 5 million UK businesses overall, 5% is still a small fraction, but the year-on-year direction is unambiguous.
The pressure now reaches SMEs that don’t sell to government directly. Larger commercial customers, especially in regulated sectors like financial services and healthcare, are increasingly running their own supplier risk assessments and asking smaller suppliers to demonstrate baseline cyber hygiene. Recent DSIT data showed 48% of small UK businesses now carry out cyber-related supplier risk assessments of their own suppliers, up 7 percentage points in a single year. That cascades. The small business asking its suppliers about cyber controls will, in turn, be asked the same questions by its larger customers.
The third pressure point is insurance. Many UK cyber insurance underwriters now offer reduced premiums for Cyber Essentials certified businesses, and a growing number require it as a precondition for cover. Claim frequency is rising and insurers are using CE as an underwriting filter.
Why this is hitting SMEs specifically
For most of the past decade, Cyber Essentials was something larger organisations dealt with. Their security teams managed it, their procurement teams asked about it. SMEs sat upstream of all that, supplying products or services that didn’t trigger the requirement.
Three things have changed.
First, the supply chain question has matured. Risk teams in larger organisations have realised that their supply chain is their attack surface. NCSC publications on supply chain risk and the broader European direction toward supply-chain cyber regulation have pushed risk teams to look further down their supplier list. SMEs that were three steps away from any direct cyber requirement are now one step away.
Second, the SME population is now visible to procurement teams in a way it was not. Tools like the IASME Supplier Check have made it cheap for large organisations to bulk-verify CE status across hundreds of suppliers at once. Where a procurement team might once have only checked their top 10 contracted suppliers, they can now check the whole list with one query.
Third, the government has been steadily clarifying its expectations. PPN 014 in February 2025, the v3.2 IASME Question Set update in April 2025, and the v3.3 changes coming in April 2026 all signal that this is not going away. Cyber Essentials is becoming a permanent feature of UK B2B contracting, not a temporary government initiative.
What to do if you’re being asked
If a customer or insurer has asked you about Cyber Essentials, the practical sequence is short.
Find out what level they need. Standard Cyber Essentials is the self-assessment level and is what most contracts require. Cyber Essentials Plus adds a hands-on technical audit and is required for higher-risk contracts (typically central government, NHS supplier work, defence supply chain).
Check the deadline. Tenders typically allow a window for certification, and most SMEs can complete the readiness work in two to four weeks. Insurance renewals are usually less negotiable.
Decide whether to do it yourself or work with someone. Cyber Essentials is not difficult, but it is specific. The IASME Question Set has roughly 60 questions, each of which expects a particular form of answer. SMEs that have time and a technical lead in-house often manage it themselves using IASME’s free Readiness Tool. SMEs that need to focus on running the business usually find external readiness support is faster.
I cover what the assessment actually involves, control by control, in a separate post (linked below). For now, the answer to “why is everyone asking about Cyber Essentials” is that the data and the regulatory direction make it inevitable. UK SMEs are being pulled into the scheme not because anyone is choosing to push them, but because the supply chain has decided that’s where the line is.
If you’re being asked about it, you’re not the first. And you’re not the last.
Sources
| Claim | Source |
|---|---|
| 43% breach rate; 42/46/65/69% by size; phishing 38%, impersonation 12%, ransomware 1%; median £0, 95th percentile £4,000 (SME) and £10,000 (medium/large); 16% negative outcome; 5% CE adoption (up from 3%) | DSIT Cyber Security Breaches Survey 2025/2026, published 30 April 2026 |
| 81% micro and 16% small UK business population | DBT Business Population Estimates 2025 (referenced in CSBS 2025/2026 technical annex) |
| 48% of small businesses doing supplier risk assessments, up 7 percentage points | DSIT Cyber Security Breaches Survey 2025 |
| 200,000+ Cyber Essentials certifications issued since 2014 | IASME Cyber Essentials Digital Brochure |
| PPN 014 active from 24 February 2025 | gov.uk Procurement Policy Note 014 |
Read next: What Cyber Essentials actually involves for a UK SME — the five technical controls, the certification process, and what to expect in time and cost.