Cyber Essentials Certification for UK Businesses in 2026: The Complete Guide – With a Focus on Apple Fleets

Posted byMichael WierciochPosted inCyber Essentials, Insights, Security and ComplianceTags:, , , , , , , , , , , , ,
Cyber Essentials

Introduction

Three weeks before your Cyber Essentials assessment, your IT Director gets a call from your assessor.

Here are all the rewrites:

Microsoft 365 MFA works correctly. Your Macs are enrolled, patched and ready. Firewall policies are in place. You have done the work. You are confident.

Then the assessor asks about your project management tool. And your CRM. And the accounting platform your finance team has been using since 2023. Has your team enabled MFA controls on all of them?

You do not know. Nobody checked. Two of them offer MFA as a paid add-on and nobody ever switched it on. Under the rules that came into force on 27 April 2026, that is an automatic failure.

This is the new Cyber Essentials landscape. The five core controls have not changed. What has changed is how strictly assessors enforce them, how broadly the scheme defines scope, and where the new automatic failure points sit. Businesses that approach their 2026 renewal as a straightforward repeat of previous years will get a surprise.

This guide covers everything a UK business needs to know about Cyber Essentials in 2026. Whether you run a pure Apple fleet, a mixed Apple and Windows environment, or manage personal devices alongside company hardware, the same framework applies. We focus particularly on Apple fleets because that is where most generic Cyber Essentials advice falls short, but the principles here apply across your entire device estate.

What Is Cyber Essentials Certification?

The NCSC and IASME run Cyber Essentials, the UK government-backed certification scheme that verifies a business has the right technical controls in place. It certifies that a business has implemented five technical controls that defend against the most common cyber attacks. The scheme is not theoretical. The scheme targets the attack methods that cause the majority of real-world incidents affecting UK businesses.

According to the NCSC’s 2025 Annual Review, 84% of UK cyber incidents affecting small and medium businesses involved at least one of three things: missing MFA, weak passwords or misconfigured cloud services. Cyber Essentials directly targets all three.

There are two levels of certification. Standard Cyber Essentials is a verified self-assessment. You complete a questionnaire confirming your controls are in place, an accredited assessor reviews it and IASME issues the certificate if you pass. Cyber Essentials Plus goes further. An independent assessor performs technical testing of your systems to verify the controls actually work as claimed, not just that you have documented them.

Both certifications last 12 months. You renew them annually.

Why Cyber Essentials Matters More Than Ever in 2026

Cyber Essentials certification has moved from a nice-to-have to a genuine business requirement for a growing number of UK organisations.

Government contracts and public sector frameworks require it as a minimum. An increasing number of enterprise supply chains now require suppliers to hold valid Cyber Essentials certification before procurement processes can progress. Cyber insurers are tightening underwriting requirements and many now require certification as a condition of cover or offer significantly better premiums to certified businesses. In fintech, legal, healthtech and other regulated sectors, clients and investors are asking for evidence of certification as part of due diligence.

UK organisations also experienced a 36% year-on-year increase in cyber attacks per week in 2025, compared to a global average of 9.8%. That context is not incidental. It is the reason the NCSC updated the standard.

The Five Core Controls: What They Require

The five controls have not changed in the April 2026 update. What has changed is the strictness of enforcement and the breadth of scope. Here is what each control requires, with specific guidance for Apple fleets and mixed environments.

Firewalls

Every device must have a properly configured firewall. On Apple, this means enforcing the macOS firewall through MDM configuration profiles rather than relying on users to enable it themselves. Devices connecting from home networks or public WiFi are in scope. The firewall must be active and configured correctly on every in-scope device, including remote and hybrid workers’ Macs.

On Windows, this means Windows Defender Firewall enforced via Group Policy or Intune. For mixed environments, you need to evidence both sets of controls — one policy covering Macs, a separate policy covering Windows devices. A single MDM platform like Microsoft Intune can manage both, though Apple-specific controls are less granular than on dedicated Apple MDM platforms.

Under v3.3, the scheme removes the terms “untrusted” and “user-initiated” as qualifiers for internet connections. Any device connected to the internet now falls in scope, regardless of how that connection starts. There is no longer a way to argue that a home-working Mac or Windows laptop falls outside the boundary.

Secure Configuration

Devices must be securely configured from day one. For Apple fleets this means enforcing FileVault encryption, screen lock timers, Gatekeeper settings to prevent installation of unverified software, and removal of unnecessary applications and services. These controls apply via MDM configuration profiles, not through guidance documents asking users to configure their own devices.

The NCSC’s macOS guidance is explicit: MDM is the mechanism for enforcing secure configuration at scale. A written policy is not a technical control. An MDM profile is.

On Windows, Intune or Group Policy with CIS or Microsoft Security Baseline templates handles secure configuration. For mixed environments the principle holds across both platforms: enforce configuration technically on every in-scope device rather than trusting users to do it themselves.

User Access Control

Only authorised users should access your systems and data. Under v3.3, this control now explicitly references passwordless authentication methods including passkeys and FIDO2 security keys as preferred alternatives to traditional passwords. For Apple fleets, this means Managed Apple Accounts configured correctly, admin rights restricted to those who genuinely need them and identity provider integration – Okta, Microsoft Entra ID or Google Workspace, enforced via MDM.


Local administrator accounts on Macs are one of the most common reasons Apple-fleet businesses fail this control. Users running as local admins with no central oversight is not compliant. MDM-enforced standard user accounts with controlled escalation is.

In mixed environments, identity provider integration becomes even more important. Okta or Microsoft Entra ID as a single identity layer across both Apple and Windows devices ensures MFA and access controls are applied consistently regardless of which device an employee uses. Fragmented identity management – one policy for Windows, a different approach for Macs, is a common failure point in mixed-fleet assessments.

Malware Protection

Apple devices need active malware protection configured and verified, not just installed. macOS includes XProtect as a built-in malware detection layer but Cyber Essentials requires active protection that is demonstrably up to date and configured to scan files automatically. Most MDM platforms provide native visibility into XProtect events. For businesses pursuing Cyber Essentials Plus or operating in regulated sectors, a third-party endpoint detection and response solution such as CrowdStrike or SentinelOne provides deeper protection and better evidence for your assessor.

Windows 10 and 11 ship with Microsoft Defender, which meets the basic malware protection requirement when your team configures it correctly. For higher risk profiles or Cyber Essentials Plus, a more comprehensive EDR solution provides stronger assurance. For mixed environments, a unified EDR platform covering both Mac and Windows from a single console gives assessors the clearest evidence of consistent protection across the estate.

Patch Management

Keep all devices and software up to date at all times. Under v3.3, the 14-day patching requirement for high-risk and critical security updates has become an automatic failure point if not met. This is not new in principle, 14 days has been the standard for several versions. What is new is that failure to evidence it within 14 days now results in immediate failure rather than a warning with an opportunity to remediate.

For Apple fleets, this means OS updates and third-party application patches enforce via MDM policies with documented enforcement timelines. Relying on users to update their own Macs is not evidenceable. MDM-enforced update policies with compliance reporting are.

On Windows, Intune handles OS patching well through Windows Update for Business but has no native third-party app patching — a gap that requires additional tooling such as PatchMyPC. On Mac, dedicated Apple MDM platforms like Jamf and Iru handle both OS and third-party app patching natively, making the 14-day patching requirement significantly easier to evidence on Apple than on Windows-heavy Intune deployments.

What Changed in April 2026: The v3.3 Danzell Update

From 27 April 2026, all Cyber Essentials assessments use the new v3.3 requirements, known as the Danzell question set. Any assessment account your team creates on or after that date runs against these updated standards. Accounts created before the deadline continue under the previous version for up to six months.

The five core controls remain unchanged. What v3.3 changes is how strictly assessors enforce the controls, where the new automatic failure points sit and how broadly the scheme defines scope.These are the changes that matter most for UK businesses.

MFA Is Now an Automatic Failure Point

Under previous versions, if a cloud service offered MFA and you had not enabled it, you received a major non-compliance warning but could still pass. Under v3.3 that changes entirely. If any cloud service your business uses offers MFA, whether free, included in the subscription or available as a paid add-on, and you have not enabled it, your assessment fails automatically.

This applies to every cloud service your business uses. Microsoft 365. Google Workspace. Your CRM, accounting platform, project management tool etc.. Any SaaS application that stores or processes company data and offers MFA as an option is in scope. Cost is not an acceptable justification for not enabling it.

For Apple fleets this means identity provider integration via MDM is no longer optional for Cyber Essentials purposes. Your team needs to enforce Okta, Microsoft Entra ID and Google Workspace MFA across all user accounts, not just administrator accounts.

Cloud Services Cannot Be Excluded From Scope.

Under previous versions, businesses could argue that certain cloud services sat outside scope because they had segregated them from the main environment. Under v3.3 that argument no longer holds. Businesses need clear justification and credible evidence of proper segregation to exclude anything and most cannot provide it.

Any cloud service that stores or processes business data is in scope. This includes productivity suites, CRM platforms, accounting systems, HR software, project management tools and file sharing services. If company data touches it, it is in scope. For many UK businesses this will significantly expand their certification footprint compared to previous years.

14-Day Patching Is Now an Auto-Fail

Two patching questions have moved to automatic failure status under v3.3. If high-risk or critical security updates are not applied across your entire device estate within 14 days of release, your assessment fails immediately. Previously this was a major non-compliance with the ability to remediate. Under v3.3 it is an outright failure.

For Apple fleets this means MDM-enforced OS update policies with documented enforcement timelines are essential, not just good practice. For Windows devices, Windows Update for Business must be configured with 14-day enforcement timelines and third-party app patching must be handled through a supplementary tool. Relying on users to update their own devices on either platform does not meet this requirement.

BYOD Controls Are Tighter

v3.3 tightens BYOD requirements significantly. If personal devices access organisational data, they must either meet the full Cyber Essentials technical controls or access must be limited to a managed, sandboxed environment such as a virtual desktop or managed mobile application container. Simply having a BYOD policy document is no longer sufficient. The technical controls must be demonstrable to your assessor.
For businesses with employees checking work email or Slack on personal iPhones, this is a significant change. MDM enrolment for personal devices through a proper BYOD programme is the correct technical response.

Remediation Must Now Be Estate-Wide

Under v3.3, if a vulnerability or control gap is identified during a Cyber Essentials Plus assessment, remediation applied across the entire device estate, not just the sampled devices that were tested. This closes a loophole where businesses would fix issues on the specific devices being assessed while leaving the same issues unaddressed elsewhere. For both Apple and Windows fleet managers this means MDM compliance reporting across every enrolled device is no longer optional, it is the evidence base your assessor will expect.

Where Most UK Businesses Fail, Especially Those Running Apple Fleets

We have helped businesses including Revolut and Kroo navigate their Complinance and Security challanges. These are the failure points we see most consistently.

Mixed fleet with inconsistent controls.
Windows devices managed through Intune and Group Policy, Macs treated as a separate and often less governed estate. Assessors look at every in-scope device. If your Mac controls do not match the rigour of your Windows controls, that gap is visible and will be challenged.

Personal devices that nobody mapped.
The most common reason UK scale-ups fail their first assessment. Employees have been checking work email on personal iPhones for two years. Nobody formally enrolled those devices or included them in scope. Under v3.3, personal devices accessing company data are in scope, with no exceptions.

Local administrator accounts on Macs.
Developers and power users running as local admins on their Macs with no central oversight. This fails the user access control requirement. MDM-enforced standard user accounts with controlled escalation is the fix.

MFA gaps on secondary cloud services.
Microsoft 365 MFA is enabled. But the CRM, the accounting platform and the project management tool were not audited. Under v3.3 each of those is an automatic failure point if MFA is not enabled.

Patch management that relies on users.
Macs configured to prompt users to update rather than enforce updates through MDM. Windows devices relying on manual patching or user-initiated updates. Assessors ask for evidence of patching within 14 days. Self-reported compliance from users is not evidence. MDM compliance reports are.

Outdated or unsupported OS versions.
Devices running macOS or Windows versions that are no longer receiving security patches. Fleet visibility via MDM is the only reliable way to identify and remediate these before assessment.

Scope defined too narrowly.
Attempting to exclude cloud services that are actively used by the business. Under v3.3 assessors are specifically looking for this and it is a straightforward route to failure.

How MDM Connects to Cyber Essentials on Apple and Windows

Cyber Essentials does not mandate MDM. But for any business managing more than a handful of devices, MDM is the only realistic way to evidence the controls your assessor requires.

On Windows, Microsoft Intune is the most common MDM platform and handles OS update management and configuration profiles well. However Intune has no native third-party app patching, and Mac-specific controls in Intune are less granular and slower to update than dedicated Apple MDM platforms. For businesses running a mixed fleet, many choose Intune for Windows management and a dedicated Apple MDM platform for Macs, accepting some tool overlap in exchange for stronger Apple coverage.

Here is how MDM maps directly to each of the five controls:

Firewalls – MDM configuration profiles enforce the macOS firewall and Windows Defender Firewall on every enrolled device. You can evidence this from your MDM compliance dashboard without asking individual users.

Secure Configuration – MDM profiles apply FileVault or BitLocker encryption, screen lock timers, Gatekeeper settings and restricted app installation across the fleet. CIS Level 1 benchmark templates in platforms like Jamf and Iru apply dozens of secure configuration controls in a single Apple profile. Microsoft Security Baseline templates do the same on Windows via Intune.

User Access Control – MDM integration with your identity provider enforces MFA, manages accounts and restricts local administrator access across both Mac and Windows. A unified identity layer via Okta or Microsoft Entra ID means access controls are enforced technically and consistently across your entire estate.

Malware Protection – MDM provides visibility into protection status across the fleet and enables deployment of third-party EDR solutions to every enrolled device regardless of platform.

Patch Management – MDM enforces OS update policies with defined timelines and generates compliance reports showing which devices are patched and which are not. On Mac, platforms like Jamf and Iru also handle third-party app patching natively. On Windows, a supplementary patching tool is required alongside Intune.

For the BYOD controls under v3.3, MDM enrolment for personal devices through a properly configured BYOD programme is the technical mechanism that allows you to evidence compliance on personal devices without accessing personal data.

Cyber Essentials vs Cyber Essentials Plus: Which Do You Need?

The right choice depends on your client requirements, sector and risk profile.

Standard Cyber Essentials is the minimum required for most government contracts and supply chain requirements. It is a self-assessment verified by an accredited assessor. The process is faster and the cost is lower, typically from around £300 for the assessment fee. For businesses working toward certification for the first time or renewing in a relatively stable environment, standard Cyber Essentials is usually the right starting point.

Cyber Essentials Plus requires an independent assessor to perform technical testing of your systems. It carries significantly more weight with regulated clients, enterprise procurement teams and cyber insurers. Under the v3.3 update, Plus assessors will now test MFA enforcement, endpoint configuration and vulnerability remediation more rigorously across both Apple and Windows devices. Assessment fees typically start from around £1,500 and vary by organisation size.

Increasingly, public sector contracts and larger enterprise supply chains require Cyber Essentials Plus rather than standard certification. If you are planning to bid for government frameworks or supply large enterprise clients in financial services, legal or healthcare, pursuing Plus from the outset avoids having to repeat the process at a later stage.

How to Prepare: A Practical Checklist

Work through this list before creating your assessment account.

MDM and device management – Apple:

  • Every Mac enrolled in MDM with active MDM profile
  • MDM configuration profiles applying CIS Level 1 baseline as a minimum
  • FileVault enforced on all enrolled Macs
  • Screen lock timer set to 10 minutes or less
  • Gatekeeper set to hard enforcement
  • All users running as standard accounts, not local admins
  • Admin access granted only to named individuals with documented justification

MDM and device management – Windows:

  • Windows devices enrolled in Intune or equivalent MDM
  • Windows Defender Firewall enforced via policy
  • BitLocker encryption enforced on all Windows laptops
  • CIS or Microsoft Security Baseline applied
  • Local administrator accounts restricted

Patch management:

  • OS update enforcement policies active via MDM on all devices
  • Documented process for applying critical patches within 14 days
  • MDM compliance report showing patch status across all enrolled devices
  • Third-party application patching in place on both Mac and Windows – not reliant on user action
  • No devices running unsupported OS versions on either platform

MFA and identity:

  • MFA enabled on Microsoft 365 or Google Workspace for all users
  • MFA enabled on every cloud service that offers it – CRM, accounting, HR, project management
  • Identity provider integrated with MDM for consistent enforcement across Mac and Windows
  • No MFA exceptions for any user account

Cloud services and scope:

  • Full audit of cloud services that store or process company data
  • All identified services included in certification scope
  • Shared responsibility understood for each cloud platform
  • No cloud services excluded without documented segregation evidence

BYOD and personal devices:

  • Personal devices accessing company data enrolled in MDM under BYOD programme
  • BYOD MDM profile applied covering passcode, encryption and OS update requirements
  • Personal devices included in certification scope
  • Offboarding process confirmed for personal device unenrolment

Malware protection:

  • Active malware protection deployed and verified on all devices
  • MDM providing visibility into protection status across the fleet
  • Third-party EDR solution deployed for businesses pursuing Plus or operating in regulated sectors

Cyber Essentials and ISO 27001: How They Fit Together

They are separate frameworks with different scopes and different purposes, but they are complementary rather than competing.

Cyber Essentials focuses on five specific technical controls and is assessed against a defined checklist. ISO 27001 is a broader information security management standard covering people, processes and technology across the entire organisation. It requires a documented information security management system, a formal risk assessment process and ongoing management review.

For most growing UK businesses, Cyber Essentials is the right first step. It is faster to achieve, has a lower cost of entry and satisfies most immediate client and contract requirements. ISO 27001 becomes the natural progression as the business matures, takes on larger enterprise clients or enters regulated markets that require a more comprehensive assurance framework.

nDuo implements both. We build Cyber Essentials alignment into every MDM engagement from day one, with the ISO 27001 progression in mind from the outset. The device security controls that satisfy Cyber Essentials are the same controls that form the endpoint security component of an ISO 27001 programme. Getting them right once means you are not rebuilding from scratch when your compliance requirements grow.

Why Apple-Specific Expertise Matters for Cyber Essentials

Most Cyber Essentials consultants come from a Windows background. They are comfortable with Group Policy, Intune and Windows Defender. For businesses running purely Windows estates, that expertise is sufficient. But for businesses running Apple fleets, whether Apple-only or mixed Apple and Windows, the gaps in Apple-specific knowledge frequently cause problems that a Windows-focused consultant will not anticipate.

The result is that Apple-first businesses frequently receive generic advice that does not map correctly to their actual environment. Controls are implemented in ways that satisfy a Windows-focused assessor but leave genuine gaps on the Mac side. Or MDM is configured correctly but the compliance reporting structure does not produce the evidence format the assessor expects.

nDuo holds Cyber Essentials certification ourselves. We are an Apple Premium Technical Partner with Apple MDM expertise across Jamf Pro, Iru (formerly Kandji) and Microsoft Intune. We have guided businesses including Revolut and Kroo through Cyber Essentials certification and we build compliance alignment into every MDM deployment from day one.

If your team runs Apple devices, whether as your primary platform or alongside Windows, the difference between generic IT advice and Apple-specific expertise is frequently the difference between passing first time and needing to remediate and resubmit.

Get a Free Cyber Essentials Readiness Review

If you are working toward Cyber Essentials certification, renewing under the new v3.3 requirements, or simply not sure where your current device estate stands against the standard, we offer a free readiness review.

We will assess your current MDM configuration, device compliance posture and cloud service scope against the five Cyber Essentials controls and the v3.3 changes, and give you a clear picture of what needs to change before you create your assessment account. Whether you run a pure Apple fleet, a mixed environment or a BYOD programme, we will give you a straight answer on where you stand.

No jargon. No obligation. Just an honest assessment from a team that has done this for Apple fleets and mixed environments across UK fintech, scale-ups and regulated businesses.

Explore our Cyber Essentials service or book a free readiness review with our team today.