SecurSentry
← All notes
Cyber Essentials

What Cyber Essentials Really Costs in 2026

The headline certification fee is the easy part. Here is the honest, all-in picture of what Cyber Essentials actually costs a UK small business in 2026 — fee, time and all.

The short version

If you have been quoted a tidy figure for Cyber Essentials and something felt off about it, your instinct is right. The headline certification fee is real, but it is only part of the story. A thin quote that stops there is setting you up for a surprise. This guide gives you the honest cyber essentials cost picture for a UK SME in 2026: the fee, the part nobody quotes, and what actually moves the number.

The short version: the fee is the predictable bit. The cost that varies, sometimes wildly, is the time it takes to get the controls genuinely in place. Let’s break it down properly.

What you actually pay: the IASME fee bands by organisation size

The IASME certification fee for basic Cyber Essentials is broadly in the £320–£600 plus VAT range, banded by the size of your organisation: smaller organisations pay less, larger ones more.

Cyber Essentials is run on behalf of the NCSC (the National Cyber Security Centre, the UK government’s technical authority on cyber security) by IASME, the body that licenses assessors and sets the fee. In 2025 IASME moved to size-based pricing, and those bands carry into 2026. The exact figure depends on how many people are in your organisation: a micro business at the smallest band, then small, medium and large, with the fee stepping up at each level.

We have deliberately given you a range rather than a single number for your band. Published figures vary slightly between sources, and the band you fall into depends on your headcount. So treat the £320–£600 plus VAT range as the ballpark, and confirm your exact band fee with an IASME-licensed assessor before you budget to the pound. What that fee buys is the assessment: typically a year of access to the self-assessment, the assessor’s review, and the certificate itself.

What the fee includes, and what it doesn't

The certification fee covers the assessment and the certificate. It does not include the work to close any gaps the assessment finds, nor any tooling you need to add. Those are separate costs, and usually larger ones. A quote that only mentions the fee is quoting you the cheapest line on the invoice.

For a fuller picture of what the certification involves before you weigh the cost, our plain-English guide to Cyber Essentials walks through the five control areas and who actually needs it.

The cost nobody quotes: the team time to implement the controls

The real cost of Cyber Essentials is not the fee. It is the internal time to get the five controls genuinely in place, which for an unprepared SME is typically two to six weeks of focused work spread across your team.

This is the line that almost never appears on a quote, and it is usually the biggest one. Cyber Essentials checks five control areas: firewalls, secure configuration, user access control, malware protection, and keeping software up to date. For most SMEs, these aren’t completely absent — they are partly in place, inconsistently applied, or simply never documented. The work is closing those gaps and being able to show it.

Some of that work is genuinely quick. Tidying default settings on a device, or confirming malware protection is switched on, can be a short job once you know what to check. But other parts take real, named effort:

“The fee buys you the assessment. The two-to-six weeks buys you the thing the assessment is checking for, and that second part is where the real cost, and the real value, lives.”

None of these is a click. Be honest with yourself about how close you already are: a business that already runs MFA and patches promptly might prepare in days, while one starting further back should budget weeks of part-time effort across several people. That time has a cost. Your team’s hours are not free, and pretending otherwise is exactly how the “tidy quote” goes wrong.

Cyber Essentials vs Cyber Essentials Plus — the cost difference

Basic Cyber Essentials is a self-assessment fee of a few hundred pounds. Cyber Essentials Plus adds independent technical testing and typically runs around £1,500–£3,000 or more plus VAT.

Both certifications cover the same five controls. The difference is who checks your work, and that difference is the whole reason for the price gap.

With basic Cyber Essentials, you complete a self-assessment questionnaire across the five control families, and an IASME-licensed assessor reviews and marks your answers. The cost is the certification fee in that £320–£600 plus VAT band, plus your own time.

With Cyber Essentials Plus, an assessor independently verifies your controls with hands-on technical testing on a sample of your devices. Someone actually checks that what you declared is true. That assessor time is real work, which is why Plus moves from hundreds of pounds into the £1,500–£3,000-plus range. You normally need a valid basic certification first, so think of Plus as an additional cost layered on top, not an alternative to it.

Which one you need depends on who is asking. If you want to understand which level a given contract or insurer actually requires before committing the budget, our Cyber Essentials vs Cyber Essentials Plus comparison breaks down the practical difference.

Why CE Plus quotes vary so much (around £1,500–£3,000+)

Cyber Essentials Plus is priced largely on how much there is to test, so device count, number of locations, operating-system mix and cloud complexity all move the quote.

If you ask three assessors for a CE Plus quote and get three very different numbers, that is normal, and it is not them being cagey. Plus pricing tracks the amount of hands-on testing required, and that scales with your environment:

A small, single-site team on a tidy, consistent setup will sit near the bottom of that range. A larger organisation spread across locations with a varied technical estate sits higher. The single most useful thing you can do is ask the assessor to confirm exactly what is in scope before you accept any figure. A quote without a defined scope is a guess, and scope is precisely what drives the price.

Before you collect quotes

Know your own numbers first: how many devices, how many people, how many locations, which operating systems, which cloud services. Walking into the conversation with that list lets assessors quote accurately, and lets you compare like with like instead of comparing one assessor's assumptions against another's.

Is it worth it? The contract and insurance return, framed honestly

For many SMEs the certification pays back through contracts won and insurance terms, but the honest return is the security you build getting there, which protects you whether or not a deal ever rides on it.

Let’s be straight about the upside without overselling it. Cyber Essentials is a requirement for many UK central government contracts and is increasingly expected by enterprise clients, procurement teams and insurers across both public and private sectors. For a business that wants that work, the fee and the time are a route to deals that would otherwise be closed off, and the maths there is usually easy. Many cyber insurers also look favourably on certification, though the precise effect on your premium varies by insurer and circumstance. Treat it as a likely benefit to confirm with your broker, not a guaranteed discount.

But the deeper return is one that does not show up on an invoice. The two-to-six weeks of work you put in to certify, getting MFA everywhere, patching reliably, tightening access, is the difference between saying you are secure and being secure. The certificate proves the first to a client. The work delivers the second to your actual business, which is what matters when an incident happens or an insurer scrutinises a claim. As we cover in why your security posture is a sales asset, the controls you build don’t just win the contract in front of you. They make every future questionnaire and certification faster, because the evidence already exists.

That is the honest answer to “is it worth it?”: for most SMEs facing real client or contractual pressure, yes, provided you go in with a clear-eyed view of the total cost, not just the headline fee.


SecurSentry is launching soon to help UK SMEs work through Cyber Essentials: understanding exactly what your business needs, where your real gaps are, and what it will genuinely take to close them, so there are no surprises on the invoice. Join the waitlist to be among the first to know when we open.

This article is for general information only and does not constitute legal or compliance advice. Fees, bands and requirements change and vary by organisation and assessor; always confirm current figures with an IASME-licensed assessor, and where in doubt consult a qualified professional.

Frequently asked questions

How much does Cyber Essentials cost in the UK in 2026?

The IASME certification fee for basic Cyber Essentials is broadly in the £320–£600 plus VAT range, banded by organisation size — smaller organisations pay less, larger ones more. That fee covers the assessment itself. The larger and less predictable cost is the internal time needed to put any missing controls in place, which for an unprepared SME is typically two to six weeks of focused work.

Why is Cyber Essentials Plus so much more expensive than basic Cyber Essentials?

Basic Cyber Essentials is a self-assessment questionnaire that an IASME-licensed assessor reviews. Cyber Essentials Plus adds independent, hands-on technical testing — an assessor actually verifies your controls on a sample of your devices. That testing takes assessor time, which is why Plus typically runs around £1,500–£3,000 or more plus VAT rather than a few hundred pounds.

What makes Cyber Essentials Plus quotes vary so much?

Plus is priced largely on the size and complexity of what has to be tested. More devices, more locations, a mix of operating systems, and a more complex cloud setup all add assessor time and push the quote up. A small single-site team will sit near the bottom of the range; a larger or more spread-out organisation sits higher. Always get the assessor to confirm what is in scope before accepting a figure.

Is the certification fee the only cost of Cyber Essentials?

No — and this is the most common surprise. The certification fee is only one line. You also need to budget for the staff time to implement and document controls you do not yet have, any tooling you need to add, and renewal each year. The honest total cost depends far more on how close your starting position is than on the fee itself.

Written by The SecurSentry Team

We write plain-English notes on security and compliance for small businesses — the things we wish someone had explained to us. Read more notes →

More from the blog

Cyber Essentials

How to Choose a Cyber Essentials Certification Body

4 Jul 2026 · 6 min
Cyber Essentials

What Cyber Essentials Plus Actually Costs

1 Jul 2026 · 6 min
SME security

The UK Small Business Compliance Journey: Cyber Essentials, GDPR and Security Questionnaires

29 Jun 2026 · 8 min

Be first to know when we launch.

Leave your email and we'll let you know the moment SecurSentry is ready. One email — no newsletters, no spam.

Just one email, at launch. We never share your data. Privacy policy.

You're on the list — we'll be in touch at launch.