For a small business owner pursuing a government contract in 2025, the technical requirements of the Cyber Essentials certification scheme may not be the first consideration that comes to mind. Pricing, capacity, and delivery timelines tend to dominate the bidding process. Yet an increasing number of British SMEs are discovering, often at considerable cost, that their existing IT infrastructure disqualifies them from the scheme entirely — rendering their tender submissions inadmissible before evaluation even begins.
Cyber Essentials is not an optional accreditation. For any organisation seeking to supply the UK government with products or services involving the handling of personal data or sensitive information, it is a contractual baseline. The National Cyber Security Centre (NCSC) administers the scheme, and its technical requirements are updated regularly to reflect the evolving threat landscape. The challenge for SMEs is that those requirements have, in recent iterations, placed explicit demands on hardware that many small businesses have not refreshed in several years.
What the Scheme Actually Requires from Your Hardware
Cyber Essentials is structured around five technical controls: boundary firewalls, secure configuration, access control, malware protection, and patch management. Each of these controls intersects with hardware in ways that are frequently underestimated by business owners without a dedicated IT function.
Firmware and BIOS versions represent one of the most common hardware-related failure points. The scheme requires that devices within scope operate with supported firmware that continues to receive security updates from the manufacturer. A device running BIOS firmware that the manufacturer ceased updating two or more years ago — a common situation with hardware purchased between 2017 and 2020 — may fail the patch management control even if the operating system itself is fully current.
Routers and boundary firewalls present another significant compliance risk. Consumer-grade routers, which are prevalent in small office environments, frequently run firmware that manufacturers abandon relatively quickly after product launch. If a router's firmware is no longer receiving security patches, it cannot satisfy the boundary firewall requirements under Cyber Essentials. Replacing a non-compliant router with a business-grade alternative capable of receiving ongoing firmware updates is often a straightforward and relatively modest investment — but it is one that must be made before certification can proceed.
Wireless access points operating solely on older Wi-Fi standards may also introduce vulnerability vectors that conflict with the scheme's secure configuration requirements. Devices that cannot enforce WPA3 encryption, or that rely on deprecated security protocols, are increasingly difficult to bring into compliance without hardware replacement.
Network switches that lack the ability to segment traffic and enforce access controls can prevent businesses from satisfying the access control requirements, particularly in environments where devices belonging to different risk classifications share the same physical network.
The Commercial Consequence of Non-Compliance
The financial stakes of failing to achieve or maintain Cyber Essentials certification extend well beyond the cost of the assessment itself. The Crown Commercial Service mandates the certification for a broad range of framework agreements. NHS supply chains, Ministry of Defence procurement routes, local authority digital services contracts, and HMRC-related engagements all carry Cyber Essentials requirements as standard.
For an SME generating £1.5 million to £3 million in annual revenue, a single lost public sector contract can represent a meaningful proportion of turnover. The irony is that the hardware investment required to achieve compliance is frequently modest relative to the contract value it unlocks. A business that spends £3,000 to £5,000 on targeted hardware upgrades — replacing non-compliant routers, refreshing firmware on critical devices, and introducing managed switching — may become eligible for contracts worth ten or twenty times that amount.
The risk of inaction is compounded by the fact that Cyber Essentials assessments have become more technically rigorous over successive annual updates. Hardware that passed assessment in 2022 may not pass the same assessment in 2025 if the manufacturer has discontinued firmware support in the interim. Certification is not a permanent state; it must be renewed annually, and the technical bar continues to rise.
A Practical Upgrade Roadmap for Compliance
For SMEs seeking to achieve Cyber Essentials certification without undertaking a wholesale IT overhaul, a structured, prioritised approach to hardware assessment is advisable.
Step one: Audit firmware currency across all in-scope devices. This includes routers, firewalls, switches, access points, and any managed hardware appliances. Confirm whether each device's manufacturer continues to issue security firmware updates, and when the most recent update was released. Any device operating on firmware that has not been updated within the preceding twelve months warrants immediate investigation.
Step two: Replace end-of-life boundary devices first. The router or firewall sits at the perimeter of the network and represents the highest-priority compliance risk. Business-grade routers from established vendors, capable of receiving regular firmware updates and supporting current security standards, are available at price points accessible to SMEs of all sizes. This is typically the single most impactful hardware investment a small business can make in the context of Cyber Essentials compliance.
Step three: Address wireless infrastructure. Access points that cannot support WPA3 or that rely on deprecated protocols should be replaced. Where budget is constrained, prioritising access points that serve business-critical or guest-facing network segments is a reasonable interim position.
Step four: Introduce managed switching where unmanaged switches currently operate. Managed switches allow network segmentation, VLAN configuration, and access control enforcement — all of which support compliance with the access control requirements of the scheme.
Step five: Establish a firmware monitoring process. Achieving compliance at the point of assessment is only half the challenge. Maintaining it through the annual renewal cycle requires a documented process for monitoring manufacturer firmware releases and applying updates in a timely fashion.
The Broader Strategic Value of Compliance Investment
It is worth noting that the hardware investments required to achieve Cyber Essentials compliance deliver value that extends well beyond certification. A network boundary protected by a current, actively maintained firewall is a materially more secure environment than one relying on a consumer router running three-year-old firmware. Managed switching infrastructure enables better network visibility and control. Updated wireless access points deliver improved performance alongside enhanced security.
For British SMEs, Cyber Essentials compliance is best understood not as a bureaucratic hurdle but as a structured prompt to address hardware deficiencies that carry genuine operational risk. The public sector contract eligibility it unlocks is, in many cases, the most immediately tangible return on that investment — but the underlying security improvements benefit the business regardless of whether a government contract is ever pursued.
For SMEs uncertain about where their current hardware estate stands relative to the scheme's requirements, engaging an accredited Cyber Essentials assessor for a preliminary gap analysis before formal submission is a prudent first step. Understanding the specific hardware changes required — rather than committing to broad, unfocused expenditure — is the most cost-effective path to certification.
