Cyber Essentials is a self-assessment — you answer a questionnaire, an assessor marks it, you get certified. Cyber Essentials Plus adds a hands-on technical audit of a sample of your devices and Microsoft 365 tenant. CE costs £320–£600+VAT; CE+ runs £1,400–£3,000. Most SMEs start with CE. You move to Plus when insurers, clients or public-sector tenders ask.
What the two schemes actually are
Cyber Essentials is the UK's baseline security certification. It's backed by the National Cyber Security Centre and delivered through IASME and its accredited certification bodies. Both tiers measure the same five technical controls — firewalls, secure configuration, user-access control, malware protection, and security update management — but they verify compliance very differently.
Cyber Essentials (basic) is self-assessment: you complete a structured questionnaire, your answers are reviewed by an assessor, and a certificate is issued. Cyber Essentials Plus keeps the questionnaire and adds a practical audit. An assessor actually connects to a sample of your devices, runs vulnerability scans, tests malware and phishing handling, and verifies your Microsoft 365 tenant configuration.
What it costs in 2026
Pricing is banded by organisation size. For basic Cyber Essentials:
- Micro (0–9 employees): from £320+VAT
- Small (10–49): around £400+VAT
- Medium (50–249): around £500+VAT
- Large (250+): from £600+VAT
Cyber Essentials Plus depends on device count, sites and cloud complexity:
- Micro: £1,400–£1,800 typical
- Small: £1,800–£2,400
- Medium: £2,400–£3,000+
Both certifications last 12 months. Organisations under £20m turnover that certify through an IASME body get bundled cyber liability insurance as part of the package — worth factoring in when comparing totals.
The v3.3 "Danzell" changes from 27 April 2026
The requirement set updated on 27 April 2026 to version 3.3, codenamed Danzell. Two changes matter most to small businesses:
- MFA is no longer optional. If a cloud service you use offers multi-factor authentication and you haven't switched it on, you automatically fail — even if you never planned to scope that service in.
- Passwordless authentication (passkeys, Windows Hello, authenticator-only flows) is now formally recognised, so you can skip traditional passwords where the platform supports it.
If you last certified before the update, your renewal will be judged against the new rules. The official details sit on the NCSC Cyber Essentials overview.
Effort: the real gap between CE and CE+
Most small businesses can complete basic Cyber Essentials in two to four weeks if they're already running Microsoft 365 sensibly. The work is mostly admin: confirming firewalls, enforcing MFA on every cloud service, separating admin accounts from day-to-day user accounts, enabling automatic updates and making sure nothing's running an unsupported operating system.
Cyber Essentials Plus requires the same foundations plus a real technical audit. An assessor will sample about 10% of your devices (minimum 3), scan them for missing patches and risky configuration, verify malware detection, try phishing attachments, and check Microsoft 365 admin setup. Anything they find that would have failed the questionnaire becomes a remediation item. You pass, then fix; or you fail, fix, and retest.
Our cyber security team runs clients through both tiers and handles the readiness work — MFA rollout, Defender for Business deployment, Intune policy, admin separation — before the assessor turns up. There are no tricks, just less stress on the day.
Which one do you actually need?
A practical rule of thumb:
- Start with Cyber Essentials if you've never certified, your insurer hasn't asked for Plus specifically, and your clients don't sit in central government.
- Go to Cyber Essentials Plus when an insurer, a client procurement form, or a tender explicitly requires it — or when you need a stronger differentiator on proposals. Plus is common in healthcare supply, legal services handling sensitive data, and any central-government work.
- Consider ISO 27001 only when turnover is well into seven figures, you handle data for enterprise buyers, or you're preparing for acquisition. For most SMEs it's overkill; CE+ is the sweet spot.
How to get ready
The checklist that stops 90% of failures:
- MFA on every cloud service that offers it — Microsoft 365, Google, Xero, Sage, your CRM, your VPN.
- No unsupported operating systems. Windows 10 went end-of-life on 14 October 2025; ESU only runs to October 2026.
- Admin accounts separate from daily-use accounts.
- Endpoint protection deployed and reporting — Defender for Business counts.
- Automatic updates enabled for OS and third-party apps.
- A written firewall or router configuration standard.
Our sector-specific work with accountants and solicitors usually starts with CE because their professional bodies now assume it. Full walk-through in how to get Cyber Essentials certified.
FAQs
What's the main difference between Cyber Essentials and Plus?
Cyber Essentials is a self-assessment against five technical controls, marked by an IASME-appointed assessor. Cyber Essentials Plus adds a hands-on technical audit — a real person checks a sample of your devices and your Microsoft 365 tenant.
How much do CE and CE+ cost?
Cyber Essentials runs from £320+VAT for micro businesses up to around £600+VAT for larger SMEs. Cyber Essentials Plus typically lands between £1,400 and £3,000 depending on size, device spread and cloud complexity.
Do I need CE+ to work with the public sector?
Some central-government contracts require Cyber Essentials Plus above certain thresholds, particularly where personal data is processed. For most SME suppliers, basic Cyber Essentials is the floor and CE+ is a differentiator on bids.
How long does CE+ take?
The assessment itself is usually one day, onsite or remote. Preparation — fixing MFA, patching, admin separation — typically takes two to six weeks for a small business that isn't starting from zero.
Does Cyber Essentials expire?
Yes. Both tiers last 12 months from the date of certification. Most SMEs renew around the same time each year, so budget and diary it.