The Cabinet Office's requirement for Cyber Essentials certification as a condition of government contract eligibility has been in force since 2014, yet the number of businesses surprised by a failed assessment — or disqualified from a bid they believed they were ready for — remains stubbornly high. The reason, in many cases, has nothing to do with the organisation's own security posture. It lies in the hosting infrastructure underpinning their digital operations.
For UK businesses seeking public sector work, understanding the relationship between hosting configuration and Cyber Essentials compliance is no longer optional. It is a commercial prerequisite.
What Cyber Essentials Actually Assesses
The scheme, administered by the National Cyber Security Centre and delivered through accredited certification bodies, evaluates five technical controls: firewalls and internet gateways, secure configuration, user access control, malware protection, and patch management. On the surface, these appear to be matters of internal IT policy. In practice, each control has direct implications for how an organisation's hosting environment is configured and managed.
The critical issue is scope. Cyber Essentials requires that the assessment covers all devices and services within the applicant's IP boundary — including cloud-hosted and externally managed infrastructure that handles business data or provides services to users. This is where many businesses encounter problems they had not anticipated.
The Shared Hosting Problem
Organisations operating on shared hosting platforms face particular difficulty. When multiple tenants share the same server environment, the boundary between one organisation's infrastructure and another's is, by definition, porous at the hardware level. Whilst virtualisation provides a degree of logical separation, Cyber Essentials assessors will scrutinise whether that separation is sufficient to satisfy the firewall and secure configuration controls.
Shared IP addresses present an additional complication. If your application shares an IP range with other tenants — as is common on entry-level and mid-tier shared hosting plans — demonstrating that your firewall boundary is both defined and under your control becomes considerably more difficult. Assessors are entitled to request evidence of network configuration, and a shared environment in which the hosting provider controls firewall rules at the platform level may not provide the documentation required.
The practical consequence is that businesses operating on shared hosting infrastructure frequently cannot demonstrate control over their own network boundary — a foundational requirement of the scheme.
Managed Service Relationships and Scope Ambiguity
Managed hosting arrangements introduce a further layer of complexity. When a provider manages patching, access controls, and firewall configuration on behalf of a client, the question of who holds responsibility for compliance becomes genuinely ambiguous. Cyber Essentials does not permit an organisation to exclude infrastructure from scope simply because it is managed by a third party. If that infrastructure processes business data or sits within the organisational boundary, it must be assessed.
This creates a specific obligation: businesses must be able to demonstrate, with documentary evidence, that their managed hosting provider applies patch management within the timescales required by the scheme — currently, high-severity patches must be applied within 14 days of release. Many managed hosting contracts do not guarantee this timeline explicitly, and providers operating on scheduled maintenance windows may routinely exceed it.
Organisations that have never asked their hosting provider for written confirmation of patch management timescales are, in effect, carrying an undisclosed compliance risk on every public sector bid they submit.
Cloud Platform Configurations That Trigger Failures
Businesses using public cloud infrastructure — whether AWS, Microsoft Azure, or Google Cloud — are not automatically exempt from these concerns. The shared responsibility model that governs public cloud security places certain controls with the provider and others with the customer. Cyber Essentials assessors evaluate the customer's configuration, not the provider's underlying platform.
Common cloud configuration failures that emerge during Cyber Essentials assessments include: administrative interfaces exposed to the public internet without multi-factor authentication; security groups or network access control lists that permit unrestricted inbound access on sensitive ports; and storage buckets or databases with overly permissive access policies. Each of these represents a configuration decision made within the customer's own account — and each will cause an assessment failure regardless of the provider's own security credentials.
The Upcoming Cyber Essentials Refresh
The NCSC periodically updates the Cyber Essentials technical requirements, and the scheme has undergone meaningful revision in recent years. Businesses that achieved certification under an earlier version of the requirements should not assume that their current hosting configuration remains compliant. The 2022 updates introduced more stringent requirements around cloud services and home working environments, and further refinements are anticipated as the threat landscape continues to evolve.
Of particular relevance for hosting-dependent businesses is the increasing scrutiny applied to cloud service configurations and the boundary between organisational and provider responsibility. Businesses whose certification is approaching renewal should conduct a fresh review of their hosting arrangements rather than assuming continuity of compliance.
What to Demand from Your Hosting Provider
For UK businesses pursuing or maintaining Cyber Essentials certification, the following represent minimum requirements to establish with any hosting provider before submitting a public sector bid.
Written confirmation of patch management timescales. Your provider must be able to demonstrate, in writing, that critical patches are applied within 14 days. Verbal assurances are not sufficient for assessment purposes.
Dedicated IP address allocation. Where shared IP addresses would compromise your ability to demonstrate firewall boundary control, dedicated IP allocation is necessary. This is a contractual matter, not a technical one, and should be raised explicitly.
Documented firewall configuration under your control. If your provider manages firewall rules on your behalf, you must have access to those configurations and be able to demonstrate that they meet the scheme's requirements. A provider that cannot or will not provide this documentation is a compliance liability.
Clarity on the scope of managed services. Ensure that your contract specifies precisely which security controls are managed by the provider and which remain your responsibility. Ambiguity in this area is routinely exploited — not by bad actors, but by assessors correctly applying the scheme's scope requirements.
The Commercial Cost of Overlooking This
For businesses that have invested in business development, bid writing, and relationship management with public sector procurement teams, discovering a Cyber Essentials failure at the point of submission is an expensive outcome. Beyond the immediate contract loss, there is reputational damage with procurement contacts who may associate the failure with organisational immaturity rather than a technical hosting oversight.
The solution is not complex, but it requires deliberate action before the bid process begins. Reviewing your hosting environment against Cyber Essentials requirements — and ensuring your provider can support rather than undermine your certification — is among the most commercially significant infrastructure decisions a UK business pursuing public sector work can make.
