Insights, Tips, and Trends for UK SMEs

Stay informed with practical advice on AI, automation, cybersecurity and business efficiency

Cyber Essentials vs Cyber Essentials Plus: Which Does Your Business Need?

7 min read • Cyber Security • 2026-04-29

Cyber Essentials and Cyber Essentials Plus are built on the same foundation — the same five technical controls, the same NCSC-backed framework, the same annual renewal cycle. What differs is how your compliance is verified, and that difference matters more than it might appear.

This guide explains what separates the two levels, which situations call for each, and what the 2026 update changes for both.

The Core Difference

Cyber Essentials is a verified self-assessment. You complete a structured questionnaire covering the five controls, a board-level signatory confirms your answers are accurate, and an independent assessor reviews your submission. If your answers meet the requirements, you receive certification.

Cyber Essentials Plus covers the same five control areas but adds independent technical testing. Rather than taking your word for it, a qualified assessor runs actual security scans and tests against your systems — checking that the controls you have described are genuinely in place and working. The NCSC describes it as the same protections, verified through more rigorous independent testing.

Put simply: Cyber Essentials proves that you say the right things. Cyber Essentials Plus proves that your systems behave the right way.

What the Five Controls Cover

Whether you pursue the standard or Plus level, both certifications assess the same areas: boundary firewalls and internet gateways, secure configuration of devices and software, user access controls, malware protection, and security update management. These controls are designed to prevent the most common internet-based attacks — the automated, opportunistic threats that account for the large majority of what small businesses actually face.

When Standard Cyber Essentials Is Sufficient

For the majority of small businesses, standard Cyber Essentials is the right starting point and, in many cases, the right ongoing level.

It is appropriate when you are establishing baseline security for the first time, when your customers or contracts require certification but have not specified the Plus level, and when your IT environment is relatively straightforward — a small team, standard software, cloud services, limited network complexity.

It is also the required first step before pursuing Plus certification. You cannot go straight to Cyber Essentials Plus — you must hold a current Cyber Essentials certificate first, and you have three months from that date to complete the Plus assessment. Miss that window and you start again.

When Cyber Essentials Plus Is the Right Choice

The Plus level carries more weight precisely because it involves real testing. There are specific situations where that additional assurance is genuinely necessary rather than optional.

Government and public sector contracts. Some contracts require Cyber Essentials Plus specifically, particularly where the work involves sensitive data or critical systems. If you are bidding into the public sector, check the specification carefully.

Supply chain requirements. Large organisations increasingly ask their suppliers to hold Plus certification as a condition of working with them. If a significant client or contract opportunity requires it, the cost of certification is justified quickly.

Sectors with higher trust requirements. Healthcare, legal, financial services and any sector where clients are entrusting you with sensitive personal or financial data. The independent testing provides a level of assurance that a self-assessment alone cannot.

When your internal IT complexity warrants it. If you have multiple sites, complex network architecture or a significant number of devices in scope, independent testing gives you confidence that the controls are working consistently across the whole environment — not just as described on paper.

What the 2026 Update Changes for Both Levels

Version 3.3 of the Cyber Essentials requirements came into force on 27 April 2026. The changes affect both certification levels, though the impact on Cyber Essentials Plus is more significant in some areas.

For both levels, MFA is now an automatic fail trigger if a cloud service offers it and you have not enabled it. The new definition of cloud services means they can no longer be excluded from scope. Scoping language has been simplified — the terms "untrusted" and "user-initiated" have been removed as qualifiers.

For Cyber Essentials Plus specifically, the 2026 update tightens the evidence requirements around security update management. If you attest to meeting the 14-day patching requirement in your self-assessment but cannot demonstrate it during the technical audit, the Plus assessment can now result in a fail — and the self-assessment can be revoked. This matters because it closes a gap where organisations would describe compliant processes in their answers but not have the systems in place to back them up.

The new question set for 2026 is called Danzell, replacing the Willow version used since April 2025. All assessment accounts created after 27 April 2026 use the new questions.

What Does Each Level Cost?

Cyber Essentials fees are set by IASME and scale with organisation size, starting at £320 +VAT for the smallest organisations. The specific fee for your size band is available on the IASME website.

Cyber Essentials Plus pricing varies by organisation size and the complexity of your network, because it involves hands-on technical work by a qualified assessor. Your Certification Body will provide a quote based on what is in scope.

Both certifications last 12 months and require annual renewal. For organisations with annual turnover under £20 million, achieving full-organisation Cyber Essentials certification also triggers free cyber liability insurance up to £25,000, arranged by IASME — worth factoring into the overall cost calculation.

Common Failure Points to Address Before You Start

Whether you are pursuing standard or Plus certification, these are the areas most likely to cause problems under the 2026 requirements.

MFA not enabled on cloud services is the single most common reason for assessment failure. Check every tool your team logs into. Admin accounts used for routine daily work, unsupported software still in use, and default credentials left unchanged on network equipment are the other recurring issues assessors find.

For Plus specifically, poor documentation of your update and patching processes is the most common gap. You need to be able to demonstrate that patches are applied within 14 days — not just state that they are.

Ready to Get Started?

SME Cyber Solutions is a Cyber Essentials provider with direct experience of what assessors look for and where businesses typically get stuck. We hold the certification ourselves and support UK SMEs through both levels of the process.

If you are not sure which level is right for your business, or you want help preparing before you start your assessment, book a free consultation and we can advise based on your specific situation. You can also check your current email security posture using our free security tools — no signup required.

Frequently Asked Questions

Do I need Cyber Essentials Plus or will standard certification be enough?
For most small businesses, standard Cyber Essentials is sufficient unless a specific contract, client or sector requirement specifies the Plus level. If you are unsure, check the wording of your contracts or ask your procurement contact directly.

Can I go straight to Cyber Essentials Plus?
No. You must hold a current Cyber Essentials certificate first. You then have three months to complete the Plus assessment. If you miss that window, you need to start the process again.

How long does Cyber Essentials certification last?
Both levels are valid for 12 months. You must renew annually to maintain your certification and your listing on the NCSC directory.

What happens if I fail the Plus assessment?
Unlike the standard level, where you typically have a short window to remediate and resubmit at no extra cost, a failed Plus assessment generally requires a paid reassessment. Preparation before you begin the technical testing is therefore especially important.

What changed with the 2026 update to Cyber Essentials?
The April 2026 update introduced mandatory MFA for cloud services (automatic fail if not enabled), a formal definition of cloud services that cannot be excluded from scope, and stricter evidence requirements for Cyber Essentials Plus around patching. The new question set is called Danzell. See our full guide to the 2026 changes for more detail.

Balanced digital scale with checklist icon vs tilted scale with magnifying glass side heavier, modern office background with
Choosing between Cyber Essentials and Cyber Essentials Plus? The scales tip toward rigorous validation—see why thorough security checks matter for your business.

Related Insights

Cyber Essentials Is Changing on 27 April — What UK SMEs Need to Know

Cyber Security

Read Article →

Cyber Security for Small Business UK: A Practical Guide for 2026

Cyber Security

Read Article →

Why Cybersecurity Still Matters in an AI-Driven World

Cyber Security

Read Article →

Ready to See AI in Action?

Book a free demo and discover how AI agents can transform your operations.

Book Your Free Demo Explore Services