Cyber Essentials used to be something a few forward-thinking operators did because their head of IT cared about it. That is no longer the case. Over the last two years it has quietly moved from “nice to have” to “commercial prerequisite” across swathes of UK hospitality, and the April 2026 update to the scheme is a good prompt to sort it out properly rather than scrambling at renewal. If you run a restaurant group, a hotel, or a multi-site hospitality business and you either hold the certification or are being asked for it by a landlord, an insurer or a tender panel, this one is for you.

I am seeing three things push Cyber Essentials up the agenda at the same time. Tender documents - particularly for corporate catering, university contracts, concession sites and public sector work - are now routinely asking for it as a qualifying condition. Cyber insurance renewals are leaning on it as a baseline, and premiums for operators who do not hold it are rising sharply. And supplier due diligence from the big hospitality groups is catching independent operators off guard when they apply to become a concession or a franchisee. None of this was true in 2020. It is all true now.

What Cyber Essentials actually is

Cyber Essentials is the UK government-backed certification scheme that sets a baseline of sensible technical controls every organisation should have in place. It is administered by IASME on behalf of the National Cyber Security Centre (NCSC). There are two levels: Cyber Essentials, which is a self-assessment verified by a certification body, and Cyber Essentials Plus, which adds a hands-on technical audit. Most operators start with the base certification, which is what CloudMatters itself holds.

The point of the scheme is not to turn you into GCHQ. It is to prove that you have done the basics - the controls that would have stopped the large majority of the commodity attacks that actually land on small and mid-sized businesses. That is a low bar in theory and a surprisingly high one in practice, because “the basics” in a restaurant estate involve EPOS terminals, a kitchen full of tablets, staff phones, a back-office PC that has been there since 2018, and a guest Wi-Fi that nobody wants to touch in case it breaks.

The five technical control themes

Cyber Essentials is built around five technical control themes. Here is what each one means in plain English, and where I typically see hospitality operators fall short.

1. Firewalls. Every device that connects to the internet needs to sit behind a properly configured firewall. In a restaurant, that usually means the router in the back office and any firewalls at the edge of each site. The gap I see most is default admin passwords still in place on routers supplied years ago by a broadband provider, and no segmentation between the EPOS network and anything else. If you are running a single flat network and calling it a day, you have a firewalls problem.

2. Secure configuration. Devices and software should be set up to minimise the attack surface - unnecessary user accounts removed, default passwords changed, guest and demo accounts disabled, unused services switched off. The classic hospitality failure here is the back-office PC that was unboxed, plugged in, logged in as a local admin and left exactly as the manufacturer shipped it.

3. User access control. People should only have the access they need to do their job, and admin accounts should be rare, named and protected. In restaurants the pattern is shared manager logins, EPOS admin credentials pinned to the wall, and no process for removing access when someone leaves. This is usually the single biggest weak point in a hospitality estate.

4. Malware protection. Every in-scope device should have working, up-to-date protection against malware, whether that is a reputable endpoint product, application allow-listing, or platform-level protection on managed devices. The gap is often that the protection exists on the back-office PC but not on the tablets, the kitchen displays or the staff laptops that head office uses to run the business.

5. Security update management. Operating systems, firmware and applications need to be patched promptly - the scheme expects high and critical severity fixes applied within defined timeframes. In hospitality, patch cadence is the single most neglected area I see. EPOS hardware is left alone “because the supplier said so”, firmware on access points has not moved in two years, and the back-office PC is on a version of Windows it should have been moved off six months ago.

Those five themes have been the backbone of the scheme since it launched, and they are not going anywhere. What changes between versions of the scheme is how they are interpreted - what counts as in scope, what the specific technical expectations are, and where the bar sits for things like authentication and passwords.

What is new in the April 2026 update

Periodically IASME and the NCSC refresh the scheme - the releases have names such as Willow and Montpellier - to keep it aligned with current threats and current technology. The April 2026 update continues that pattern, and it includes changes operators should understand before their next assessment. Rather than list specifics I am not prepared to stand behind in print, I am going to be straight with you: the April 2026 update includes changes to the scheme’s technical requirements - consult the current IASME requirements document before your assessment, and work through the delta with a certified partner who does this every week.

The reason I am being careful here is that the exact wording of these requirements matters. Getting one phrase slightly wrong in a blog post and having an operator self-assess against it is exactly the sort of thing that causes a failed certification. The sensible move is to download the current requirements document from the IASME website (it is free), read the sections that apply to your environment, and have a conversation with whoever is going to help you certify. If you are working with us, we will walk you through what has changed, what it means for your estate, and what evidence your assessor is going to want to see.

Why hospitality operators specifically should care

Putting the technical detail aside, here is why the certification is worth having for a hospitality business in 2026.

  • Tender eligibility. Increasingly, you simply cannot bid for certain contracts without it. Corporate catering frameworks, university contracts, concession opportunities in venues and transport hubs, and public sector work all now routinely ask for Cyber Essentials as a qualifying condition. No certification, no bid.
  • Insurance. Cyber insurance premiums are climbing, and underwriters are using Cyber Essentials as a cheap, credible signal of baseline hygiene. Holding the certification can shift the numbers on your renewal quote meaningfully, and in some cases it is the difference between being offered cover at all and being declined.
  • Supplier due diligence. If you are a supplier to a larger hospitality group - or a franchisee of one - expect to see Cyber Essentials on the questionnaire. The big groups are pushing compliance down their supply chains because their own auditors are pushing them to.
  • Customer trust. In an industry where card breaches make the local press within 24 hours, being able to say you hold a government-backed certification is worth more than any amount of marketing copy about how much you care about security.
  • Liability reduction. If the worst happens, being able to point to an active, current certification is a very different conversation with your insurer, your acquirer and your regulator than shrugging and saying you tried your best.

A practical preparation checklist

If you are starting cold - or dusting off an old certification that has lapsed - here is the order of operations I would use.

  1. Inventory. List every device in scope: EPOS terminals, back-office PCs, tablets, kitchen displays, staff laptops, staff phones if they access work data, routers, switches, firewalls, access points. If you cannot name it, you cannot certify it.
  2. Patch cadence. Establish, document and enforce a patching routine. Not “when we get round to it” - a defined cadence with evidence.
  3. Endpoint protection. Confirm that every in-scope device has working malware protection, that it is up to date, and that you can prove it.
  4. MFA on admin. Turn on multi-factor authentication for every administrative account - EPOS portals, Microsoft 365, cloud dashboards, finance tools, everything. This is one of the highest-leverage changes you can make.
  5. Firewall configs. Check every firewall and router. Default passwords gone, remote admin interfaces locked down, firmware current, a sensible rule set in place. Proper network design and segmentation pays for itself here.
  6. Access reviews. Get rid of shared logins. Make sure everyone who has access has a named account, and that leavers are removed promptly.
  7. Documentation. Pull together the short policies and records the assessor will want to see. This is usually less work than operators fear and more work than they plan for.

How long it takes

For a hospitality operator starting cold - no previous certification, the usual mix of shared logins and unpatched kit - budget four to eight weeks from the first conversation to a pass. Most of that time is the remediation work, not the paperwork. For an operator who is mostly already in good shape and just needs to complete the self-assessment and close a few gaps, it is more like two to four weeks. In both cases, the biggest variable is how quickly you can get answers from the third parties who sit on your estate - EPOS vendors, installers, telecoms providers. Start those conversations early.

Where CloudMatters fits

CloudMatters is itself Cyber Essentials certified - we hold the base certification, and we go through the process ourselves every year, so we know what it feels like from the inside. We help hospitality IT clients prepare for and achieve the certification as part of our managed service, and we are honest about what is in scope, what needs fixing, and what it will cost. No sales theatre, no scare tactics, just the work.

If your last Cyber Essentials review was a while ago, or a tender or insurer has just asked you for it and you are not sure where to start, talk to our Cyber Essentials team and we will walk you through what the April 2026 update means for your estate and what a sensible path to certification looks like. It is the cheapest insurance policy you can buy against the sort of boring, commodity attack that is putting hospitality operators in the headlines every month.