Jessica Entwistle
July 10 2026
The NCSC has announced Cyber Essentials Pathways, an alternative route to Cyber Essentials Plus certification designed to make the scheme more accessible without compromising its integrity. The new pathway is intended to support organisations that have struggled with the traditional assessment process, particularly those with complex or non-standard IT environments. Pathways will allow organisations to work through certification in stages, with clearer guidance and more structured support from certification bodies. The scheme remains focused on the same five technical controls, but the assessment process has been redesigned to reduce barriers while maintaining assurance standards.
For many UK organisations, Cyber Essentials has become a baseline requirement for government contracts, supply chain participation and cyber insurance. However, the traditional assessment model has sometimes created friction for businesses with legacy systems, distributed infrastructure or limited internal security expertise. Pathways addresses this by offering a more flexible route that still validates the same technical controls but allows organisations to build capability incrementally. This matters operationally because it reduces the risk of organisations abandoning certification attempts or seeking workarounds, and it reinforces the scheme's role as a practical foundation rather than a compliance hurdle. For organisations that have previously found the certification process challenging, this represents a meaningful opportunity to achieve certification without compromising on the underlying security controls that the scheme is designed to validate.
For UK businesses working towards Cyber Essentials or supporting clients through the process, this is a prompt to review how certification fits into your broader security roadmap. If previous attempts have stalled due to technical complexity or resource constraints, Pathways may offer a more achievable route. It is also worth considering how this change affects supply chain assurance expectations and whether your certification approach still aligns with customer or contract requirements. Organisations should also review whether their current certification body is participating in the Pathways programme and what support is available to help navigate the new process. This is an opportunity to revisit certification as a practical security foundation rather than a compliance checkbox, and to ensure that the process is integrated into broader security improvement efforts rather than treated as a standalone exercise.
Source: NCSC UK