If you run a UK firm with between 5 and 250 staff, Cyber Essentials has probably landed on your desk for one of two reasons: a client contract or public sector tender now demands it, or your cyber insurance renewal form is asking whether you hold it. The certification itself is not expensive. The figure most people quote, the IASME assessment fee, sits between £300 and £500 plus VAT depending on your headcount. But the fee is the small part. The real cost is the work you do to pass, and from 27 April 2026 the bar for passing went up.
What Cyber Essentials costs in the UK in 2026
Cyber Essentials is the UK government’s baseline security standard, developed by the National Cyber Security Centre (NCSC) and delivered on its behalf by IASME, which licenses a network of certification bodies to run assessments. Because IASME sets the assessment fee centrally, the price for the basic self-assessment is the same wherever you buy it, banded by company size.
For 2026 the IASME assessment fees for basic Cyber Essentials are:
- Micro (0 to 9 staff): around £300 to £330 + VAT
- Small (10 to 49 staff): £400 + VAT
- Medium (50 to 249 staff): £450 + VAT
- Large (250+ staff): £500 + VAT
Those fees cover the online assessment portal, the questionnaire, an assessor review, and your certificate and badge if you pass. For most firms in the 5 to 250 range, that is £400 to £450 plus VAT for the assessment itself.
One bonus is tucked into that fee. UK-domiciled organisations with turnover under £20m that certify their whole organisation can opt in to free cyber liability insurance with a £25,000 limit of indemnity, underwritten by AIG and administered through Sutcliffe and Co. It is not a substitute for a standalone policy, but it is a useful safety net with a 24-hour incident response line at no extra charge. We explain how this sits alongside a commercial policy in our guide to cyber liability insurance for UK SMEs.
Cyber Essentials Plus costs more, and it is quoted not fixed
Cyber Essentials Plus is the audited version. Instead of you answering questions about your own setup, a qualified assessor tests your devices and cloud services directly. Because that takes assessor time, IASME does not fix the price. Each certification body quotes its own fee based on how many devices you run and how complex your network is.
Most UK SMEs pay between £1,500 and £3,000 plus VAT for Cyber Essentials Plus, and larger or more complex estates can run higher. You also need the basic certification first, so the Plus cost sits on top of the assessment fee, not instead of it.
The hidden cost is the remediation, not the certificate
Here is where budgeting goes wrong. The IASME fee tells you nothing about what you spend getting your systems into a state that passes. If you have never enforced MFA across every cloud app, if half your laptops run consumer antivirus, or if your patching is whenever someone gets round to it, fixing those things is the real number.
A realistic first-year total for a typical 25-person business, once you add MFA tooling, endpoint protection licences, any gap-analysis consultancy and staff time, often lands between roughly £1,800 and £3,500. None of that is a Cyber Essentials charge. It is the cost of meeting a standard you should have been meeting anyway.
What changed on 27 April 2026
The 2026 revision is the biggest in a while, because it adds automatic failure conditions where there used to be wiggle room.
IASME published a new self-assessment question set called Danzell on 13 February 2026. It applies to any assessment account created on or after 27 April 2026, under version 3.3 of the Requirements for IT Infrastructure. The previous question set, Willow (version 3.2), still applies to accounts created before that date, with a grace period to complete: until 27 October 2026 for basic Cyber Essentials and 27 January 2027 for Cyber Essentials Plus.
The date your account is created decides which rules you are assessed against, not the date you finish. If your setup is borderline on the new requirements, creating your account before 27 April 2026 buys you months under the older Willow rules.
The new MFA rule, and why it bites
Under the old scheme, failing to turn on multi-factor authentication counted against you, but you could still scrape a pass. That is gone. Under Danzell, MFA is mandatory on every cloud service that offers it, for all users, with no exceptions. It does not matter whether MFA is a paid add-on or a free feature. If a cloud service you use supports MFA and you have not switched it on, you automatically fail the assessment. There is no partial credit and no remediation window within that cycle to fix it after the fact.
For most SMEs the obvious targets are Microsoft 365 and Google Workspace, where enforcement is easy to turn on but easy to leave half-configured. The trap is the long tail: the accounting platform, the CRM, the file-sharing tool, the marketing app someone logs into with a password and nothing else. Every one of those, if it supports MFA, is now in scope. One unprotected cloud login fails the whole assessment.
There is a second auto-fail. Two new questions, A6.4 and A6.5, make it mandatory to install high-risk and critical security updates within 14 days of release, covering operating systems, router and firewall firmware, applications and their extensions. Miss that and you fail automatically, the same as MFA.
The scheme also encourages passwordless methods such as passkeys and FIDO2 hardware keys, but that is encouragement, not a requirement. A strong password plus MFA still passes for now.
Why insurers care more than the certificate body does
Even if no contract forces you into Cyber Essentials, your insurer is pushing you towards the same controls. The proposal form for a modern UK cyber policy now reads like the Cyber Essentials checklist. Three controls come up on almost every renewal, and they are the same three the scheme has just tightened:
- MFA on all admin accounts, all remote access and all email, with insurers asking specifically about Microsoft 365 and Google Workspace enforcement.
- EDR, endpoint detection and response, on every device, centrally managed. Traditional signature antivirus no longer satisfies most underwriters.
- Backups, including an offline or immutable copy that ransomware cannot reach, with evidence you have tested a restore in the last 12 months.
Patch management within 14 days and restricted admin rights usually appear alongside them. What makes this matter is the declaration you sign. If you attest that MFA was enforced and a post-incident forensic review finds it was not on the compromised account, the insurer can decline the claim, even where MFA would not have stopped that breach. The control is a condition of cover, not just a discount, so the work you do for Cyber Essentials keeps your policy valid when you need it.
How to budget and plan from here
A sensible sequence for a firm in the 5 to 250 staff range:
- Run a gap analysis first, to find what you would fail on before you pay. The common gaps are MFA on secondary cloud apps, consumer-grade antivirus instead of EDR, and unmanaged patching.
- Fix MFA across every cloud service, not just email. This is now pass or fail.
- Decide basic versus Plus. If a client or tender names Cyber Essentials Plus, you need the audited version and the higher cost. If not, basic certification plus the free insurance is usually enough to start.
- Check the timing. If your controls are not ready, creating your account before 27 April 2026 keeps you on the older Willow rules with a generous grace period.
The certificate costs a few hundred pounds. Passing it honestly is what protects you, and from April 2026 the scheme stopped letting anyone fake it.
Frequently asked questions
How much does Cyber Essentials cost in the UK in 2026? The IASME assessment fee for basic Cyber Essentials is banded by size: around £300 to £330 + VAT for micro firms (0 to 9 staff), £400 + VAT for small (10 to 49), £450 + VAT for medium (50 to 249) and £500 + VAT for large (250+). Cyber Essentials Plus is quoted separately and typically runs £1,500 to £3,000+ VAT.
Is Cyber Essentials the same price everywhere? For basic certification, yes. IASME sets the assessment fee centrally, so the core cost is the same whichever certification body you use. Some bodies add a small premium when they bundle in pre-assessment support, so it is worth comparing two or three quotes. Cyber Essentials Plus prices vary because each body sets its own audit fee.
What is the new MFA rule from April 2026? Under the Danzell question set, which applies to assessment accounts created on or after 27 April 2026, multi-factor authentication must be enabled on every cloud service that offers it, for all users. If you leave MFA off on any service that supports it, you automatically fail the assessment with no remediation in that cycle.
Do I get free cyber insurance with Cyber Essentials? UK-domiciled organisations with turnover under £20m that certify their whole organisation can opt in to free cyber liability insurance with a £25,000 limit of indemnity, underwritten by AIG and administered through Sutcliffe and Co. It includes a 24-hour incident response line. It is a useful extra, not a replacement for a full commercial policy.
Can I still certify under the old rules? If you create your assessment account before 27 April 2026, you are assessed under the previous Willow question set (version 3.2), with until 27 October 2026 to complete basic Cyber Essentials and 27 January 2027 for Cyber Essentials Plus. The date the account is created, not the date you finish, decides which version applies.
Why do insurers ask about MFA, EDR and backups? Most UK cyber policies now require these as conditions of cover, and you attest to them on the proposal form. If a claim is investigated and a control you declared was not actually in place, the insurer can refuse to pay. The same controls Cyber Essentials checks are the ones that keep your policy valid.
For the authoritative scheme detail, see the NCSC Cyber Essentials overview and IASME’s notice on the April 2026 changes.