The National Cyber Security Centre's Cyber Essentials scheme was designed to establish a baseline of cybersecurity hygiene across British organisations. What its architects may not have fully anticipated is the scheme's secondary function: acting as an involuntary hardware audit that is compelling thousands of UK small and medium-sized enterprises to confront technology estates they have been deferring for years.
With public sector procurement increasingly mandating Cyber Essentials certification — and private sector supply chains following suit — the certification process has become a commercial necessity for a substantial proportion of British SMEs. The consequences for hardware procurement are significant and, in many cases, urgent.
What Cyber Essentials Actually Demands of Your Hardware
The scheme's five technical controls — boundary firewalls, secure configuration, access control, malware protection, and patch management — sound straightforward in principle. In practice, they impose concrete requirements on the physical devices within an organisation's scope.
The patch management control is where ageing hardware most frequently creates problems. For a device to satisfy this requirement, its operating system must be vendor-supported and receiving active security updates. Windows 10, which reaches end-of-life in October 2025, will cease to satisfy this requirement for assessments conducted thereafter. Windows 7 and Windows 8.1 machines — which, remarkably, continue to operate within a non-trivial number of British SME environments — already fail this criterion outright.
The secure configuration control introduces further complications. Modern security baselines require hardware capable of supporting features such as Secure Boot, TPM 2.0, and full-disk encryption through BitLocker or equivalent tools. Many business laptops and desktops manufactured before 2018 either lack TPM 2.0 entirely or carry firmware implementations that do not meet current standards. These machines cannot be configured to satisfy the scheme's requirements regardless of software intervention.
The Assessment as Unplanned Audit
Several IT consultancies operating across the UK have reported a consistent pattern during Cyber Essentials pre-assessment engagements: organisations frequently underestimate the proportion of their device estate that will require replacement. A business that anticipated refreshing perhaps 20% of its machines may discover the true figure closer to 60%.
The reasons are predictable. Hardware replacement decisions in SME environments are typically deferred until devices fail operationally. A machine that boots reliably, runs the necessary applications, and causes no immediate disruption is rarely prioritised for replacement — even if it runs an unsupported operating system, lacks adequate encryption capability, or cannot receive firmware security patches.
The Cyber Essentials assessment disrupts this logic by introducing an external compliance deadline. Suddenly, the question is no longer whether a machine functions adequately, but whether it can be demonstrably secured. For many devices, the answer is no.
Common Hardware Shortfalls Identified During Assessments
Based on assessment feedback compiled across the UK SME sector, the most frequently identified hardware inadequacies fall into several categories:
Absence of TPM 2.0: Devices lacking this hardware security module cannot enable BitLocker drive encryption or meet Windows 11's minimum system requirements. This single deficiency disqualifies a machine from both current OS support and meaningful encryption compliance.
Unsupported operating systems: Beyond the Windows 10 deadline, a surprising number of SME environments continue to operate legacy systems including Windows Server 2012 and Windows Server 2016, both of which have passed or are approaching end-of-extended-support dates.
Unmanaged network switches and access points: Consumer-grade networking equipment, frequently deployed in smaller offices to reduce costs, often lacks the firmware update mechanisms or management interfaces required to demonstrate secure configuration.
End-of-life endpoint devices: Laptops and desktops that manufacturers no longer support with firmware or BIOS updates present a compliance gap that software patching cannot address.
Insufficient mobile device management: Smartphones and tablets accessing business systems without appropriate management profiles fall within scope for Cyber Essentials Plus assessments, exposing gaps that many SMEs have not previously considered.
Planning a Compliant and Cost-Effective Hardware Refresh
The most important insight for British SME leaders approaching this challenge is that compliance-driven hardware investment need not be purely defensive expenditure. A device that satisfies Cyber Essentials requirements — supporting Windows 11, equipped with TPM 2.0, capable of hardware-accelerated encryption, and maintained by an active manufacturer — is, by definition, modern enough to deliver meaningful performance improvements over the legacy equipment it replaces.
Structuring the refresh programme thoughtfully allows organisations to extract genuine productivity gains alongside compliance benefits.
Prioritise by risk and criticality: Devices handling sensitive data, connecting to external services, or used by personnel with elevated system access should be addressed first. This approach satisfies assessors whilst directing resources where the security benefit is greatest.
Adopt a phased procurement schedule: Rather than attempting a complete estate refresh in a single financial year — which can create budget pressure that leads to poor purchasing decisions — a structured three-year replacement programme allows costs to be spread whilst ensuring the highest-risk equipment is addressed promptly.
Leverage certified refurbished hardware where appropriate: For roles with modest computational demands, quality-certified refurbished business-grade machines from reputable sources can satisfy Cyber Essentials requirements at a fraction of new hardware costs. Devices must, however, meet the TPM 2.0 and OS support requirements — not all refurbished stock does.
Consolidate procurement through trusted UK distributors: Purchasing through established UK channels ensures warranty coverage under British consumer law, provides access to volume pricing, and simplifies the documentation that assessors may request regarding hardware provenance and specification.
Do not neglect networking infrastructure: Routers, switches, and wireless access points are frequently overlooked in refresh planning but are directly assessed under the boundary firewall and secure configuration controls. Consumer-grade equipment should be replaced with business-class alternatives offering vendor-supported firmware.
The Broader Strategic Opportunity
Organisations that approach Cyber Essentials certification reactively — scrambling to address failures identified during assessment — invariably spend more and achieve less than those that treat the certification process as a structured opportunity to modernise their technology estate.
The scheme's requirements align closely with good IT practice in any case. A hardware estate that is fully patched, properly encrypted, and operating on supported platforms is not merely compliant — it is more reliable, more performant, and better positioned to support the business applications that drive commercial outcomes.
For British SMEs with ambitions to grow their public sector or regulated-industry client base, the investment in compliant, modern hardware is not a cost to be minimised. It is a commercial enabler. The certification process, however inconvenient its initial revelations may be, provides the clearest possible mandate for a hardware refresh that many organisations should have undertaken years ago.
