What Cyber Essentials Really Costs in 2026
The headline certification fee is the easy part. Here is the honest, all-in picture of what Cyber Essentials actually costs a UK small business in 2026 — fee, time and all.
The short version
- The fee is the small bit: The IASME certification fee for basic Cyber Essentials sits in the region of £320–£600 plus VAT, rising with the size of your organisation.
- The real cost is time: The cost nobody quotes is the team time to get the controls genuinely in place — for an unprepared SME, that is typically two to six weeks of focused work spread across people.
- Plus costs more for a reason: Cyber Essentials Plus adds hands-on technical testing and typically runs around £1,500–£3,000 or more plus VAT, depending on how many devices and locations are in scope.
- Honesty up front saves money: The biggest cost overrun is discovering gaps mid-assessment. Knowing your real starting position before you pay is what keeps the bill predictable.
If you have been quoted a tidy figure for Cyber Essentials and something felt off about it, your instinct is right. The headline certification fee is real, but it is only part of the story. A thin quote that stops there is setting you up for a surprise. This guide gives you the honest cyber essentials cost picture for a UK SME in 2026: the fee, the part nobody quotes, and what actually moves the number.
The short version: the fee is the predictable bit. The cost that varies, sometimes wildly, is the time it takes to get the controls genuinely in place. Let’s break it down properly.
What you actually pay: the IASME fee bands by organisation size
The IASME certification fee for basic Cyber Essentials is broadly in the £320–£600 plus VAT range, banded by the size of your organisation: smaller organisations pay less, larger ones more.
Cyber Essentials is run on behalf of the NCSC (the National Cyber Security Centre, the UK government’s technical authority on cyber security) by IASME, the body that licenses assessors and sets the fee. In 2025 IASME moved to size-based pricing, and those bands carry into 2026. The exact figure depends on how many people are in your organisation: a micro business at the smallest band, then small, medium and large, with the fee stepping up at each level.
We have deliberately given you a range rather than a single number for your band. Published figures vary slightly between sources, and the band you fall into depends on your headcount. So treat the £320–£600 plus VAT range as the ballpark, and confirm your exact band fee with an IASME-licensed assessor before you budget to the pound. What that fee buys is the assessment: typically a year of access to the self-assessment, the assessor’s review, and the certificate itself.
What the fee includes, and what it doesn't
The certification fee covers the assessment and the certificate. It does not include the work to close any gaps the assessment finds, nor any tooling you need to add. Those are separate costs, and usually larger ones. A quote that only mentions the fee is quoting you the cheapest line on the invoice.
For a fuller picture of what the certification involves before you weigh the cost, our plain-English guide to Cyber Essentials walks through the five control areas and who actually needs it.
The cost nobody quotes: the team time to implement the controls
The real cost of Cyber Essentials is not the fee. It is the internal time to get the five controls genuinely in place, which for an unprepared SME is typically two to six weeks of focused work spread across your team.
This is the line that almost never appears on a quote, and it is usually the biggest one. Cyber Essentials checks five control areas: firewalls, secure configuration, user access control, malware protection, and keeping software up to date. For most SMEs, these aren’t completely absent — they are partly in place, inconsistently applied, or simply never documented. The work is closing those gaps and being able to show it.
Some of that work is genuinely quick. Tidying default settings on a device, or confirming malware protection is switched on, can be a short job once you know what to check. But other parts take real, named effort:
- Rolling out MFA (multi-factor authentication, a second login step beyond a password) across every cloud service and email account. Under the current v3.3 requirements MFA must be enabled for all cloud services where it is available, so it cannot be skipped.
- Patch management: making sure every device and application is kept up to date, with critical and high-severity updates applied within 14 days of release. This sounds simple and routinely catches teams out, because it needs a named owner, not good intentions.
- User access control: checking who has access to what, removing old accounts, and reining in administrator privileges handed out too freely.
“The fee buys you the assessment. The two-to-six weeks buys you the thing the assessment is checking for, and that second part is where the real cost, and the real value, lives.”
None of these is a click. Be honest with yourself about how close you already are: a business that already runs MFA and patches promptly might prepare in days, while one starting further back should budget weeks of part-time effort across several people. That time has a cost. Your team’s hours are not free, and pretending otherwise is exactly how the “tidy quote” goes wrong.
Cyber Essentials vs Cyber Essentials Plus — the cost difference
Basic Cyber Essentials is a self-assessment fee of a few hundred pounds. Cyber Essentials Plus adds independent technical testing and typically runs around £1,500–£3,000 or more plus VAT.
Both certifications cover the same five controls. The difference is who checks your work, and that difference is the whole reason for the price gap.
With basic Cyber Essentials, you complete a self-assessment questionnaire across the five control families, and an IASME-licensed assessor reviews and marks your answers. The cost is the certification fee in that £320–£600 plus VAT band, plus your own time.
With Cyber Essentials Plus, an assessor independently verifies your controls with hands-on technical testing on a sample of your devices. Someone actually checks that what you declared is true. That assessor time is real work, which is why Plus moves from hundreds of pounds into the £1,500–£3,000-plus range. You normally need a valid basic certification first, so think of Plus as an additional cost layered on top, not an alternative to it.
Which one you need depends on who is asking. If you want to understand which level a given contract or insurer actually requires before committing the budget, our Cyber Essentials vs Cyber Essentials Plus comparison breaks down the practical difference.
Why CE Plus quotes vary so much (around £1,500–£3,000+)
Cyber Essentials Plus is priced largely on how much there is to test, so device count, number of locations, operating-system mix and cloud complexity all move the quote.
If you ask three assessors for a CE Plus quote and get three very different numbers, that is normal, and it is not them being cagey. Plus pricing tracks the amount of hands-on testing required, and that scales with your environment:
- Number of devices in scope. The assessor tests a representative sample, and more devices generally means a bigger sample and more time.
- Number of locations. A single office is simpler than several sites, each of which may add testing effort.
- Mix of systems. A team all on one operating system is quicker to test than a mix of Windows, macOS and mobile platforms.
- Cloud complexity. More cloud services, more integrations and more bespoke configuration all add to what has to be verified.
A small, single-site team on a tidy, consistent setup will sit near the bottom of that range. A larger organisation spread across locations with a varied technical estate sits higher. The single most useful thing you can do is ask the assessor to confirm exactly what is in scope before you accept any figure. A quote without a defined scope is a guess, and scope is precisely what drives the price.
Before you collect quotes
Know your own numbers first: how many devices, how many people, how many locations, which operating systems, which cloud services. Walking into the conversation with that list lets assessors quote accurately, and lets you compare like with like instead of comparing one assessor's assumptions against another's.
Is it worth it? The contract and insurance return, framed honestly
For many SMEs the certification pays back through contracts won and insurance terms, but the honest return is the security you build getting there, which protects you whether or not a deal ever rides on it.
Let’s be straight about the upside without overselling it. Cyber Essentials is a requirement for many UK central government contracts and is increasingly expected by enterprise clients, procurement teams and insurers across both public and private sectors. For a business that wants that work, the fee and the time are a route to deals that would otherwise be closed off, and the maths there is usually easy. Many cyber insurers also look favourably on certification, though the precise effect on your premium varies by insurer and circumstance. Treat it as a likely benefit to confirm with your broker, not a guaranteed discount.
But the deeper return is one that does not show up on an invoice. The two-to-six weeks of work you put in to certify, getting MFA everywhere, patching reliably, tightening access, is the difference between saying you are secure and being secure. The certificate proves the first to a client. The work delivers the second to your actual business, which is what matters when an incident happens or an insurer scrutinises a claim. As we cover in why your security posture is a sales asset, the controls you build don’t just win the contract in front of you. They make every future questionnaire and certification faster, because the evidence already exists.
That is the honest answer to “is it worth it?”: for most SMEs facing real client or contractual pressure, yes, provided you go in with a clear-eyed view of the total cost, not just the headline fee.
SecurSentry is launching soon to help UK SMEs work through Cyber Essentials: understanding exactly what your business needs, where your real gaps are, and what it will genuinely take to close them, so there are no surprises on the invoice. Join the waitlist to be among the first to know when we open.
This article is for general information only and does not constitute legal or compliance advice. Fees, bands and requirements change and vary by organisation and assessor; always confirm current figures with an IASME-licensed assessor, and where in doubt consult a qualified professional.