Cyber Essentials certification fees in 2026 start at £320+VAT for a micro-organisation (0–9 employees) and scale to £600+VAT for 250+ employees. Cyber Essentials Plus, which adds a hands-on technical audit, typically costs £1,400–£3,000 for a small business. Add preparation time or MSP support (£500–£2,500) and you have the real total. IASME-certified orgs under £20m turnover get bundled cyber liability insurance at no extra cost.
The headline certification fees
Cyber Essentials is run by IASME on behalf of the NCSC. Fees are tiered by employee count and are the same at every accredited certification body — only the delivery experience varies.
- Micro (0–9 employees): £320+VAT
- Small (10–49 employees): £400+VAT
- Medium (50–249 employees): £450+VAT
- Large (250+ employees): £600+VAT
That fee covers the online self-assessment platform, one marking pass by a qualified assessor, and — if you pass — the certificate and badge for 12 months. You also get the IASME-bundled cyber liability insurance if your UK turnover is under £20m and your head office is in the UK.
Cyber Essentials Plus — the bigger number
Cyber Essentials Plus adds an external technical audit on top of the self-assessment. An IASME-approved assessor samples your endpoints, runs vulnerability scans, tests your email filtering and checks your Microsoft 365 configuration. That day-rate work is what pushes the price up.
For a typical small business (10–30 users, one office, Microsoft 365), expect £1,400–£3,000 all in. Multi-site organisations or firms with lots of BYOD devices can run £4,000+. The audit itself is usually half a day remote plus a short on-site visit, but the price reflects the assessor's accreditation and insurance, not just the hours.
The v3.3 Danzell changes and what they cost you
The current NCSC Cyber Essentials requirements moved to v3.3 "Danzell" on 27 April 2026. The biggest change has a cost tail: if a cloud service you use offers multi-factor authentication and you haven't turned it on, you automatically fail. That includes Microsoft 365, Google Workspace, Xero, QuickBooks, Dropbox and anything else with a login page.
For most SMEs this is a configuration exercise rather than a licensing one — MFA is included in Microsoft 365 Business Basic and above. But if you're on standalone Exchange Online, you may need to step up to Microsoft 365 Business Premium to get Conditional Access and proper device policies. That adds roughly £15/user/month to your licensing bill, but it removes three other Cyber Essentials headaches at once.
The preparation cost nobody quotes
The certification fee is the cheap part. The expensive part is getting your environment ready to pass. For a firm that has never certified before, budget one of these:
- Do it yourself: 20–40 hours of internal time. Free in cash, painful in practice.
- MSP-supported: £500–£1,500 for a gap assessment and remediation plan.
- Full managed: £1,500–£2,500 if you want an MSP to do the work end to end, including evidence gathering.
Common remediation items include switching on MFA, replacing unsupported Windows 10 devices, rolling out Intune or similar for device policy, tightening firewall rules, and documenting your asset list. None of this is hard, but it adds up if you're doing it for the first time under a renewal deadline.
Is Cyber Essentials Plus worth the extra?
Cyber Essentials is self-assessed — you fill in the form, they mark it. Cyber Essentials Plus is verified — they prove the answers are true. For most SMEs the basic scheme is enough. You need Plus if:
- You sell into central government or the NHS
- A prime contractor you supply demands it in their ITT
- Your cyber insurer gives you a meaningful premium discount for it
- You handle sensitive client data and want a stronger signal than self-assessment
For an accountancy practice, solicitor's office or healthcare clinic, Plus often pays for itself via one public-sector win or one insurance renewal. If none of those apply, the basic certification is the right stop.
Annual renewal, not a one-off
Certification lasts 12 months. You renew every year by redoing the self-assessment — and, for Plus, the technical audit. The good news: year two is cheaper in effort because the groundwork is already done. The bad news: it's a budget line forever. Build it into your annual cyber security spend, not a one-off capex.
How Syntek helps
We run a fixed-fee Cyber Essentials readiness engagement for West Sussex SMEs: gap assessment, remediation, evidence pack and submission support. For most 10–30 user businesses it's done in 3–4 weeks. We don't award the certificate ourselves — that's IASME's job — but we take you from "we should probably do that" to "we passed" without drama. Book a readiness call or call us on .
FAQ
What is the cheapest Cyber Essentials certification?
The micro-organisation tier (0–9 employees) is the cheapest at £320+VAT via an IASME-accredited certification body. The fee is the same at every assessor — only the support wrapped around it varies.
Is Cyber Essentials Plus worth the extra cost?
If your clients, insurers or public-sector contracts demand it, yes. The hands-on audit typically runs £1,400–£3,000 for a small business. For firms with no contractual requirement, basic Cyber Essentials is usually enough.
Does Cyber Essentials include cyber insurance?
IASME-certified organisations with UK turnover under £20m and a UK head office get bundled cyber liability insurance included at no extra cost. The cover is basic but useful as a first-loss layer.
How often do I need to renew Cyber Essentials?
Annually. The certification lapses 12 months after issue and you restart the self-assessment (and the technical audit for Plus) each year.