Does Cyber Essentials cover GDPR?
No - Cyber Essentials does not cover GDPR. Cyber Essentials is a technical cybersecurity baseline; GDPR is a data-protection regulation covering lawful basis, rights, transfers, and accountability. They overlap at the technical-security boundary but neither replaces the other.
Does Cyber Essentials cover GDPR?
No - Cyber Essentials does not cover GDPR. Cyber Essentials is a technical cybersecurity baseline; the UK GDPR (and EU GDPR) is a data-protection regulation covering lawful basis for processing, data-subject rights, international transfers, and organisational accountability. They overlap at the technical-security boundary but neither replaces the other.
Where they overlap
UK GDPR Article 32 requires "appropriate technical and organisational measures" to ensure security of processing. The five Cyber Essentials controls - firewalls, secure configuration, user access, malware protection, and patching - map directly to the ICO's interpretation of Article 32 at the technical-baseline level.
Holding Cyber Essentials is recognised by the ICO as evidence of technical-measures compliance for GDPR purposes. It does not demonstrate compliance with the rest of GDPR.
What GDPR requires that Cyber Essentials does not
- Lawful basis for processing. Cyber Essentials does not assess whether you have a valid lawful basis.
- Privacy notices, data-subject rights, and consent management. Out of scope.
- Records of Processing Activities (RoPA). Out of scope.
- Data Protection Impact Assessments. Out of scope.
- International data transfer mechanisms (SCCs, IDTA). Out of scope.
- Data Protection Officer designation. Out of scope.
- 72-hour breach notification process. The technical controls help detect a breach but the notification obligation sits with your data-protection governance, not the certificate.
What Cyber Essentials requires that GDPR does not directly
- The specific 14-day patching rule for high/critical vulnerabilities.
- The specific firewall / boundary device configuration rules.
- The specific MFA requirements on admin accounts.
- The specific supported-OS rules.
GDPR requires "appropriate" technical measures; Cyber Essentials prescribes the bar the ICO considers appropriate at baseline.
The practical answer for UK SMEs
For most UK SMEs the sensible stack is:
1. Cyber Essentials - technical baseline. Signals GDPR Article 32 compliance.
2. A published privacy notice, a documented lawful basis, a RoPA, a breach-response plan - organisational GDPR measures.
3. Optional higher tiers - IASME Cyber Assurance Level 2 or ISO 27001 where contractual or regulatory expectation requires a broader ISMS.
Cyber Essentials is a cornerstone of GDPR technical compliance, not a substitute for GDPR itself.
Bottom line
Cyber Essentials does not cover GDPR, but it is the technical baseline the ICO recognises under Article 32. For UK SMEs, holding both a current CE certificate and a basic GDPR compliance programme (privacy notice, RoPA, breach-response plan) is the minimum credible data-protection posture.
Certify in 6 working hours with Fig Group from £299.99 + VAT.
Start Cyber Essentials from £299.99 + VAT | Cyber Essentials vs ISO 27001 | Free readiness check
About the author
Jay Hopkins
Managing Director, Fig Group
Jay Hopkins is the Managing Director of Fig Group and an IASME-licensed Cyber Essentials assessor. He was previously Head of Technology for a global regulated firm. He works with UK organisations across regulated sectors on baseline compliance, supply-chain assurance, and AI-augmented security tooling.
Next step
Want to see how Fig handles this?
Discover how Fig helps organisations prepare for security assessments and maintain ongoing compliance.
Request a demo