Cyber Essentials deadline for criminal law firms: what you need to know before 1 October 2025

22/08/25 Wavenet
Law IT

From 1 October 2025, all criminal law firms in the UK will be required to hold Cyber Essentials certification. This new mandate is part of a broader push to strengthen cyber security within the legal sector and protect sensitive case data from the growing risk of cyber attacks.

If your firm has not yet started preparing, the time to act is now.

Why this matters

Criminal law firms handle highly sensitive information, client data, case files, court evidence, and communications that, if compromised, could have serious legal, reputational, and even personal consequences.

In recent years, the legal sector has become a prime target for cyber criminals, with ransomware, phishing, and data theft increasing in both frequency and sophistication. The introduction of this requirement recognises that cyber resilience is no longer optional, especially for firms working within the criminal justice system.

What is Cyber Essentials?

Cyber Essentials is a government-backed certification developed by the National Cyber Security Centre (NCSC). It sets out a basic but essential set of technical controls to protect organisations from common online threats.

  • Cyber Essentials – a self-assessment covering five key technical controls.
  • Cyber Essentials Plus – an advanced certification that includes an independent technical audit.

What does your firm need to do?

1. Understand the requirements

  • Review the five technical control areas: firewalls, secure configuration, user access control, malware protection, and patch management.
  • Consider whether you need Cyber Essentials or Cyber Essentials Plus, based on the nature of your work and data.

2. Audit your current systems

  • Identify gaps in your cyber defences.
  • A pre-assessment by a certified body can help you understand what’s needed to comply.

3. Implement changes

  • Work with internal IT teams or external consultants to make the necessary changes in infrastructure, processes, and policies.

4. Get certified

  • Once you're confident your systems meet the requirements, apply for certification through a recognised Certification Body.

5. Maintain and review

  • Certification is valid for 12 months. Make sure your defences stay up to date and build cyber security into your ongoing risk management practices.

The consequences of non-compliance

  • Ineligibility for certain legal aid or government-contracted work.
  • Increased scrutiny from regulators.
  • Loss of trust from clients and partners.
  • Higher cyber insurance premiums, or denial of coverage altogether.

Benefits beyond compliance

  • Reduced risk of cyber incidents.
  • Improved client confidence.
  • Demonstrated commitment to data protection.
  • Stronger positioning for tenders and contracts.

Don’t leave it too late

Certification can take time, especially if your systems need significant updates. Starting now ensures you’re not rushing at the last minute or risking non-compliance.

Start your Cyber Essentials journey here.

Learn more Why choose us for Cyber Essentials?

Legal, Cyber Security, CyberGuard, Blogs, Cyber Essentials

Latest blogs

See all posts
Cyber Essentials Legal
Why choose us for Cyber Essentials?

Achieving Cyber Essentials certification isn’t just a checkbox exercise, it’s a strategic investment in your business's future. Whether you're strengthening your security posture, meeting regulatory requirements, or enhancing trust with customers and partners, we are your go-to cyber security partner.

Read more
Microsoft EA Volume
Microsoft is removing EA volume discounts - what you need to know

Upcoming changes to Microsoft Volume Licensing discounts - effective 1st November 2025

Read more
MDR in cyber security
What is MDR in cyber security?

In the face of constantly evolving cyber threats, relying solely on traditional defences like firewalls and anti-virus is no longer enough. Today’s cyber landscape demands proactive detection, rapid response, and continuous oversight. This is where Managed Detection and Response (MDR) comes into play: a modern approach that empowers businesses to stay one step ahead of cyber threats - even when internal resources are stretched thin.

Read more
Placeholder thumbnail
Podcast: unpacking the evolving challenges and decisions surrounding public cloud strategy

Sharing expert insight into public cloud strategy... In the latest episode of Asanti's “In Conversation With” podcast, Asanti’s Emma Lauchlan speaks with Chris Talliss, Director of Cloud, Data and Apps at Wavenet, to unpack the evolving challenges and decisions surrounding public cloud strategy.

Read more
Microsoft 365 e3 vs e5
Microsoft 365 E3 vs E5 – what’s the difference for your business?

Choosing the right Microsoft 365 licence can make all the difference – from managing costs to ensuring security and compliance. Here’s a side-by-side comparison of the two enterprise plans, so you can decide what works best for your organisation.

Read more
Placeholder thumbnail
Webinar - Wavenet and Mitel’s vision for 2025 & beyond

Webinar summary: future-proofing business communications with Mitel & Wavenet As communication continues to evolve, choosing the right partner is essential. This exclusive webinar, hosted by Wavenet in partnership with Mitel, featured Stuart Aldridge (UK Head of Mitel), Emma Westland (Strategic Director at Zoom) and Barry Ward (Product Director at Wavenet), delivering a forward-looking session focused on the future of unified communications (UC) for Mitel, Zoom and Wavenet.

Read more

Stay service-savvy

Get all the latest news and insights straight to your inbox.