CybersecurityMay 20265 min read

How much does Cyber Essentials cost in 2026?

The certification fee is fixed nationally by IASME and varies by organisation size. What varies more significantly is how much preparation support your business needs before it is ready to submit. Here is a clear breakdown of both.

The certification fee

The Cyber Essentials assessment fee is set by IASME, the NCSC's official delivery partner, and is the same regardless of which certifying body you use. No certifier can charge less — or more — for the assessment itself. The fee is tiered by organisation size, using the UK government definition based on employee headcount:

Organisation sizeEmployeesCertification fee
Micro0–9£320 + VAT
Small10–49£440 + VAT
Medium50–249£500 + VAT
Large250+£600 + VAT

Most London SMEs fall into the micro or small category, so the certification fee alone is typically £320 or £440 + VAT. That is the floor — the minimum you will spend regardless of how you approach the process.

The preparation cost

This is where the total figure varies significantly between businesses. The certification fee covers the assessment itself — an accredited assessor reviewing your self-assessment questionnaire. It does not cover getting your systems ready to pass.

Preparation typically involves three things: identifying gaps in your current setup against the five controls, fixing those gaps (remediation), and working through the self-assessment questionnaire accurately. Businesses that skip preparation frequently fail their first attempt, which means paying the certification fee again.

The amount of preparation needed depends on your setup:

  • Modern cloud-based environments (Microsoft 365, few devices, no on-premise servers) — typically need less remediation. MFA enforcement and a firewall review are often the main items.
  • Mixed or legacy environments (older devices, on-premise infrastructure, multiple sites) — usually require more remediation time, particularly around patch management and secure configuration.
  • Businesses with no prior security review — tend to have more gaps across all five controls, which takes longer to address systematically.

What to budget in total

For a micro or small business with a reasonably modern setup and professional preparation support, a realistic all-in budget is:

  • Certification fee: £320–£440 + VAT (set by IASME)
  • Preparation support: £500–£1,500 + VAT depending on scope
  • Total: approximately £900–£2,000 + VAT for most small businesses

Businesses with more complex environments or significant remediation requirements should budget higher. The most accurate way to know your likely cost is a gap assessment first — that gives you a clear picture of what needs fixing before you commit to anything.

What about Cyber Essentials Plus?

Cyber Essentials Plus includes everything in the base certification plus a hands-on technical audit where an assessor directly tests your systems. The cost is higher — typically £1,500 to £3,000 for the assessment itself depending on scope and certifier, plus preparation support on top.

Plus is required for some higher-risk government contracts and carries more weight in procurement. For most small businesses not bidding for those contracts, the base certification is the right starting point.

Is there anything that offsets the cost?

Yes. Organisations that achieve Cyber Essentials certification and have an annual turnover under £20 million may also qualify for bundled cyber insurance through the certification scheme, depending on eligibility. For smaller businesses, the insurance value can be comparable to or greater than the total cost of certification.

There is also the commercial case: Cyber Essentials is increasingly required by larger clients and public sector bodies as a condition of contract. For businesses in that position, the cost of not having it — in lost opportunities — is harder to quantify but often significant.

A note on "cheap" Cyber Essentials services

The certification fee itself cannot be discounted — it is set nationally. What varies between providers is the quality and scope of preparation support. A very low quoted price usually means minimal support, which increases the risk of a first-attempt failure. Failing and resubmitting costs another certification fee on top.

Fixed-price preparation packages with clear inclusions are easier to evaluate than hourly rates, because you know upfront what you are getting.

Not sure what your business needs?

Get in touch and we can talk through your current setup, where you stand against the five controls, and what certification would involve for your business.

Book an assessment call