Based in Darlington. Serving the North East and UK since 1998. No pressure, no jargon.
- DARLINGTON AND NORTH EAST
Cyber Essentials Certification Darlington
Local support from a Darlington-based team that holds Cyber Essentials certification itself. Gap analysis, remediation, and formal assessment, including the new v3.3 director declaration requirements from April 2026. Last reviewed: April 2026, updated to reflect Cyber Essentials v3.3
Reliable systems. Strong security. Clear accountability.
ISO 27001 certified
ISO 9001 certified
Cyber Essentials
MSP 501 recognised
MSP Awards 2025 – Best Use of AI
Supporting UK organisations since 1998
Getting certified in Darlington: what it actually involves
Cyber Essentials is a UK government-backed certification that tests whether your business has the five foundational controls in place to block the most common cyber attacks. For businesses in Darlington and across the North East, it is increasingly required for public sector contracts, NHS supply chain work, and regulated sector procurement. From April 2026, Cyber Essentials v3.3 also requires a director to formally confirm compliance is maintained throughout the certification period — not just at the point of assessment.
Bondgate IT is based in Darlington. We hold Cyber Essentials certification ourselves. We help businesses across Tees Valley and the North East go through the certification process from a standing start, which means understanding where you currently are, identifying what needs to change, fixing it properly, and then going into formal assessment with confidence rather than guesswork.
Why this matters for Darlington businesses right now: The Darlington Economic Campus and the growing presence of government departments in the town have increased the concentration of businesses working in or supplying public sector contracts.
The requirement for Cyber Essentials is spreading through these supply chains faster than most businesses realise.
The five control areas Cyber Essentials checks
The scheme tests five specific technical areas. These are not complicated to understand, but the detail of how they are assessed catches businesses out, particularly around patching timelines, cloud scope, and access control. The three areas below are where most businesses in the North East fail their first attempt.
01
Firewalls
Boundary and device-level firewalls must be configured beyond default vendor settings. Many businesses fail here simply because no one has reviewed the configuration since initial setup.
- Commonly Failed
02
Secure configuration
Devices and software must be set up securely. Default passwords changed, unnecessary features removed, admin accounts limited and separated from day-to-day use.
- Commonly Failed
03
User access control
Only the right people can access what they need. Privileged accounts are separated, access is reviewed regularly, and former staff accounts are removed promptly.
04
Malware protection
Active, managed protection across all in-scope devices — including remote and home-working devices under v3.3 requirements.
05
Patch management
Software and operating systems kept current. High-risk vulnerabilities must be patched within 14 days of release. This is the single most common failure point across North East SMEs, most businesses patch when it is convenient, not on a defined schedule. Cyber Essentials requires a documented, consistent process.
Under v3.3, this must also cover cloud services and remote devices.
- Most commonly failed
- Important update - April 2026
Cyber Essentials v3.3: what Darlington business owners need to know
From 28 April 2026, Cyber Essentials v3.3 introduces a requirement that changes who owns cyber security inside your organisation. A director or board-level representative must now formally confirm that the organisation will maintain Cyber Essentials controls throughout the full certification period, not only at the point of assessment.
This is not a cosmetic update. It moves Cyber Essentials from an IT exercise to a governance commitment.
For a Managing Director or Finance Director in Darlington, it means you are being asked to sign a declaration that your controls are maintained year-round which requires having the structure and visibility to back that up.
- Scope must be clearly defined and documented
- Cloud services (Microsoft 365, line-of-business apps) are now explicitly in scope and cannot be excluded
- Remote and home-working devices must meet the same standards as office devices
- Access must be actively managed, not just reviewed at renewal time
- Compliance cannot drift between certification periods
How Bondgate IT supports Darlington businesses through certification
We do not start with the formal assessment. We start with a clear-eyed look at where you are today. Most businesses we work with have more gaps than they expect, and fewer than they fear. A gap analysis gives you the honest picture so nothing fails at assessment stage.
01
Gap analysis against current scheme requirements
We assess your IT environment against the v3.3 scheme requirements — all five control areas, including cloud scope, remote devices, and patching processes. You receive a written report with a clear list of what needs addressing and in what order.
02
Remediation - fixing the gaps properly
We work through the identified issues with your team. Configuration changes, access reviews, patching schedules, policy documentation. We do not submit you for formal assessment until every control area is ready.
03
Formal assessment submission
We support your questionnaire submission through an NCSC-approved certification body. With preparation done properly, first-attempt pass rates are significantly higher. Your director or board representative signs the v3.3 declaration with confidence rather than exposure.
04
Ongoing compliance support
Under v3.3, certification is not a one-off event. We help you establish the monthly rhythm, access reviews, patch visibility, scope updates when new systems are introduced, so that annual renewal is straightforward rather than a scramble.
- From 28 April 2026 - official NCSC v3.3 requirements
The five biggest changes in Cyber Essentials v3.3
These are the changes that will catch businesses out if they apply for certification or renewal after April 2026 without understanding what has shifted. Source: NCSC Cyber Essentials: Requirements for IT Infrastructure v3.3, April 2026.
1
MFA is now mandatory across everything
Multi-factor authentication is required on all cloud services, all admin accounts, and all accounts accessible from the internet. If a cloud service offers MFA in any form, built-in, via an app, SMS, or an authenticator, it must be enabled.
The only accepted exception is if MFA is genuinely not available on the platform, and that must be documented. The assessment will fail automatically if MFA is available but not enabled on cloud services.
- Automatic fail if not in place
2
Cloud services cannot be excluded from scope
Previously you could shift liability for cloud services to the provider and effectively exclude them. That is no longer possible. Microsoft 365, HubSpot, Dropbox, your CRM, line-of-business SaaS tools, and social media accounts used for business are all explicitly in scope.
You must confirm the cloud provider’s security commitments via contractual clauses or their published shared responsibility documentation.
- Definitive statement in v3.3
3
Expanded scope - exclusions now require justification
Any part of your IT estate excluded from assessment now requires a formal justification to the assessor.
Remote and home-working devices are in scope by default. BYOD devices that access organisational data or services are in scope.
A scope that does not include end-user devices is not acceptable under v3.3. Scope boundaries must be enforced using a firewall or VLAN – other methods are not compliant.
- Tightened requirement
4
14-day patching - with a specific CVSS score threshold
High-risk and critical vulnerabilities must be patched within 14 days of release.
V3.3 adds a technical threshold: any update addressing a CVSS v3 base score of 7 or above must be applied within 14 days – not just updates the vendor labels “critical.”
Automatic updates must be enabled where the software supports it. This covers operating systems, applications, browser extensions, firmware, and router software.
- Automatic fail if not met
5
Development and AI tools are now in scope - the change most businesses will miss
Previously, organisations could exclude software in development from Cyber Essentials scope. V3.3 introduces a Software Security Code of Practice and tightens what can be excluded from assessment.
This is particularly relevant for AI tools. Many businesses are using Microsoft Copilot, ChatGPT integrations, and AI-powered CRM or automation features, and classifying them as “in development” or “being evaluated.”
Under v3.3, if those tools are processing organisational data, they are in scope. Calling something a proof of concept no longer removes it from Cyber Essentials assessment requirements.
- New — high impact for businesses using AI tools
Free cyber liability insurance - included with certification
UK organisations with a head office in the UK and gross annual turnover under £20 million receive cyber liability insurance at no additional cost when they achieve Cyber Essentials certification.
This is arranged through the IASME scheme and includes 24/7 incident response support covering technical, legal, and crisis management services.
It is included by default, you must actively opt out if you do not want it. Most businesses achieving certification for the first time are unaware this benefit exists.
Before you start Cyber Essentials certification, understand the gaps
We show you where you stand and what needs fixing to meet Cyber Essentials.
Book your gap analysis
Why certification alone is not enough for Darlington Businesses in 2026
Achieving Cyber Essentials is the right starting point.
But the threat landscape that organisations in Darlington and the North East are operating inside has changed significantly.
Understanding the broader picture helps leadership teams make better decisions about where to go after certification.
The pattern we see most often: A business achieves Cyber Essentials, considers the cyber security box ticked, and then experiences an incident 18 months later that Cyber Essentials was never designed to prevent, typically phishing or credential theft.
The certification protects against common technical attack vectors. It does not replace governance, staff awareness, and incident response capability.
| Threat | What it looks like | Does CE address it? |
|---|---|---|
| Phishing | Supplier impersonation, fake Microsoft login pages, urgent payment requests | Partially: secure config and malware controls help, but staff awareness is separate |
| Ransomware | Encryption of business data, backup targeting, data theft before encryption | Partially: the five controls reduce entry points, but BCDR planning is separate |
| Credential theft | Weak or reused passwords, lateral movement through systems after first access | Yes: access control and MFA requirements directly address this |
| Supply chain attack | Compromise via a supplier's system or credentials | Partially: scope and access control help, but supplier management is separate |
Bondgate IT has been featured in the BBC documentary Cyber Siege: From Russia to Redcar, which examined the £10 million ransomware attack on Redcar and Cleveland Borough Council.
That experience shapes how we talk to North East businesses about cyber security. The controls matter. The governance around them matters more.
Related Reading
Cyber Security for UK SMEs: Key Risks and What to Focus on in 2026
Our full guide to the current threat landscape — what is actually causing breaches in UK SMEs and what leadership teams should be prioritising beyond certification.
Further reading from Bondgate IT
Cyber Essentials v3.3
Cyber Essentials v3.3: Why Cyber Security Is Now a Board Responsibility
The full breakdown of what the April 2026 director declaration means for MDs and FDs — what you need to confirm, what governance looks like in practice, and the questions you should be asking your IT provider.
Scheme Changes
Cyber Essentials 2025: What the New Changes Mean for Your Business
The changes introduced in version 3.2 – cloud scope, home working devices, MFA requirements – and what they mean for North East SMEs going through certification this year.
Common questions
Cyber Essentials certification - questions we hear from Darlington businesses
What is Cyber Essentials certification?
Cyber Essentials is a UK government-backed scheme that helps organisations protect against the most common cyber attacks.
It tests five technical control areas, firewalls, secure configuration, user access control, malware protection, and patch management.
Achieving certification demonstrates that your business has the foundational controls in place and is increasingly required for public sector contracts and regulated supply chains.
What has changed in Cyber Essentials v.3.3?
From 28 April 2026, Cyber Essentials v3.3 requires a director or board-level representative to formally confirm that the organisation will maintain compliance throughout the full certification period – not just at the point of assessment.
This shifts accountability from IT teams to leadership and means compliance must be sustained year-round, not treated as a one-off exercise.
Cloud services are also now explicitly in scope and cannot be excluded.
How long does Cyber Essentials take in Darlington?
For most Darlington SMEs, the process from initial gap analysis to certification takes four to eight weeks.
The timeline depends on what the gap analysis finds and how much remediation is needed.
Bondgate IT completes the gap analysis within two to five working days, after which you have a clear picture of exactly what needs to be addressed before formal assessment.
Going straight to assessment without a gap analysis risks a failed first attempt, which delays the process, and increases the cost.
Do I need Cyber Essentials to bid for contracts?
An increasing number of contracts require it, particularly public sector work, NHS supply chain, MOD contracts, and any contract involving the handling of personal data or sensitive information.
Government contracts have required Cyber Essentials since 2014, and the requirement is spreading rapidly through private sector supply chains.
In Darlington, the growth of government activity at the Economic Campus is accelerating this in the local market.
What is the difference between Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials is a verified self-assessment, you answer questions about your controls and an approved certification body checks your answers.
Cyber Essentials Plus includes everything from the standard certification but adds an independent technical audit of your systems by an assessor.
Cyber Essentials Plus is required for higher-risk contracts and provides a stronger assurance signal to clients, insurers, and regulated sector buyers.
What are the most common reasons businesses fail Cyber Essentials?
The most common failure points are patch management (software not updated within the required 14-day window), secure configuration (default vendor settings still in use), and user access control (former staff with active accounts, over-privileged users, or unreviewed admin access).
Most of these issues are fixable quickly once identified through a gap analysis.
That is why we always recommend starting there rather than going straight to formal assessment.
Does Cyber Essentials certification include cyber insurance?
Yes, if your organisation has a UK head office and gross annual turnover under £20 million, cyber liability insurance is included at no additional cost when you achieve Cyber Essentials certification.
It is arranged through the IASME scheme and includes 24/7 incident response support covering technical, legal, and crisis management.
It is included by default unless you actively opt out.
Most businesses certifying for the first time are not aware this benefit exists.
Do AI tools like Microsoft Copilot need to be included in Cyber Essentials?
Under Cyber Essentials v3.3, yes, if an AI tool is processing organisational data, it falls within the definition of a cloud service and cannot be excluded from scope.
This will catch many businesses out.
Tools being “trialled” or described as “in development” no longer have an automatic exemption.
If your organisation is using Microsoft Copilot, AI-powered CRM features, or other AI tools that access or process your business data, those tools must be within the scope of your Cyber Essentials assessment and MFA must be enabled where available.
Can Bondgate IT help us get Cyber Essentials certified in Darlington?
Yes. Bondgate IT is based in Darlington at Newham House, Dudley Road, and holds Cyber Essentials certification ourselves.
We support businesses across Darlington, Tees Valley, and the wider North East through the full process gap analysis, remediation, and formal assessment submission.
Call us on 01325 369 950 or use the contact form to start with a no-pressure conversation about where you are and what you need.
Ready to get Cyber Essentials certified in Darlington?
Start with a gap analysis conversation. We will tell you honestly where you are, what needs fixing, and how long it will take, before you commit to anything.