Cyber Essentials Cost UK Small Business: The Complete 2026 Breakdown

When small business owners ask us about Cyber Essentials, the first question is almost always the same: how much does it cost? It is a perfectly reasonable question, and yet the answer you find online is often incomplete or misleading. Some sources quote only the certification fee and leave out everything else. Others bundle expensive consultancy into their headline price without making that clear. The result is that many business owners either overestimate the cost and put it off indefinitely, or underestimate it and get caught out by remediation work they had not planned for.

This guide gives you the complete, honest picture of Cyber Essentials cost UK small business owners actually face in 2026. We cover the official IASME fee bands, the real cost of Cyber Essentials Plus, the hidden expenses that do not appear on any price list, worked budget examples for businesses of different sizes, and practical strategies for keeping costs as low as possible without cutting corners.

By the end, you will know exactly what to budget and where the money goes.

A Quick Reminder: What Is Cyber Essentials?

Before we break down costs, it helps to understand what you are paying for. Cyber Essentials is the UK Government's baseline cyber security certification scheme, developed by the National Cyber Security Centre (NCSC) and delivered through IASME, its official partner. It is built around five technical controls — firewalls, secure configuration, user access control, malware protection, and security update management — that collectively defend against the most common internet-based attacks.

There are two levels. Standard Cyber Essentials is a verified self-assessment: you complete a questionnaire, a board member signs a declaration, and an assessor reviews your answers. Cyber Essentials Plus adds an independent technical audit where an assessor tests your systems to verify that the controls are genuinely working. For a full walkthrough of the scheme, the controls, and the April 2026 changes, see our complete Cyber Essentials Certification UK guide.

Now, let us talk money.

The Official IASME Certification Fees

The starting point for understanding Cyber Essentials cost UK small business budgets is the official fee set by IASME. These are fixed, tiered by organisation size, and non-negotiable — every Certification Body charges the same base assessment fee because IASME sets it centrally.

Standard Cyber Essentials Fees (2026)

The current fee bands, based on employee count, are as follows:

Micro (0–9 employees): £320 + VAT
Small (10–49 employees): £440 + VAT
Medium (50–249 employees): £500 + VAT
Large (250+ employees): £600 + VAT

These prices have remained stable since the tiered structure was introduced in 2022, replacing the previous flat fee of £300 that applied regardless of size. For the vast majority of UK small businesses, the Cyber Essentials cost UK small business certification fee sits between £320 and £440 plus VAT — less than many business owners spend on a single IT support call-out.

What the Fee Includes

For that money, you receive access to the online assessment platform with six months to complete your self-assessment questionnaire, review by a qualified assessor (typically within three working days), one opportunity to correct and resubmit if your initial submission does not pass, a digital certificate valid for twelve months, a public listing on the NCSC Cyber Essentials directory so clients and partners can verify your certification, a digital badge for use on your website and marketing materials, and — for organisations with turnover under £20 million — complimentary cyber liability insurance arranged through IASME, including 24/7 incident response support and coverage up to £25,000.

That last point is worth pausing on. The included insurance alone would cost most small businesses several hundred pounds per year if purchased separately. For a micro business paying £320 plus VAT, the insurance effectively makes the certification free from a pure cost-benefit perspective.

Cyber Essentials Plus: What It Costs and When You Need It

Standard Cyber Essentials is sufficient for most small businesses. However, there are situations where Cyber Essentials Plus is either required or strongly advisable: when a client or supply chain partner specifically requires it, when bidding on higher-value government contracts, when you want the additional assurance of independent technical verification, or when your business handles particularly sensitive data and wants to demonstrate a higher standard of security to customers and regulators.

Unlike standard Cyber Essentials, there is no single fixed national price for Plus. The cost depends on the size and complexity of your IT environment because the assessment involves hands-on technical testing — vulnerability scanning of external IP addresses, testing of a representative sample of devices, and verification that the controls described in your self-assessment are actually working.

Typical Cyber Essentials Plus Pricing

Based on published pricing from multiple Certification Bodies and our own experience working with UK small businesses, here are the realistic ranges you should expect in 2026:

Micro business (1–9 employees, simple environment): £1,200–£1,800 + VAT. This assumes a small number of devices, one or two locations, limited cloud services, and a straightforward network setup.

Small business (10–49 employees): £1,500–£2,500 + VAT. More devices, potentially multiple locations, broader cloud usage, and a more complex network increase the testing time required.

Medium business (50–249 employees): £2,500–£4,500 + VAT. Larger device estates, more external IP addresses, multiple office locations, and diverse cloud services all push the price upward.

Several factors influence where you fall within these ranges: the number of external-facing IP addresses (more addresses means more vulnerability scanning), the number and diversity of devices in scope, whether the audit is conducted remotely or on-site (on-site audits typically cost more due to travel time), the number of locations, and the Certification Body you choose — pricing can vary by 30–50% between different assessors for the same scope, so getting multiple quotes is essential.

Important timing note: You must hold a valid standard Cyber Essentials certificate before starting Cyber Essentials Plus, and you have a maximum of three months to complete Plus after your standard certificate is issued. If you miss that window, you need to start the entire process again. Factor this into your planning and budget.

The Hidden Costs: What the Fee Does Not Cover

Here is where many small businesses get caught out. The IASME certification fee is the cost of the assessment itself. It does not include the cost of actually meeting the five controls. For businesses that are already well-managed from an IT perspective, the additional cost may be negligible. For others, it can be the largest part of the total spend.

Understanding these hidden costs is critical to building a realistic budget for Cyber Essentials cost UK small business planning.

1. Remediation Costs

Remediation means fixing the gaps between where your IT environment is today and where it needs to be to pass the assessment. Common remediation tasks and their typical costs include:

Replacing unsupported software: If you are running Windows 7, Windows 8.1, an unsupported version of macOS, or legacy applications that no longer receive security updates, you cannot pass. Upgrading a single machine to Windows 11 Pro typically costs £100–£140 for the licence, plus the time to set it up. If the hardware is too old to run a supported operating system, you are looking at the cost of replacement devices — typically £400–£800 for a business-grade laptop.

Enabling MFA on cloud services: Most cloud services include MFA at no additional cost, so enabling it is free in terms of licence fees. The real cost is the staff time needed to set it up, communicate the change to employees, and provide support during the transition. For a 20-person business, budget half a day to a full day of IT time. If you need to upgrade your Microsoft 365 plan to access conditional access policies (moving from Business Basic to Business Premium, for example), that is an additional £3–£10 per user per month.

Upgrading or replacing your firewall: If your broadband router's firewall is not configurable, or if it is running outdated firmware that the manufacturer no longer supports, you may need to replace it. A business-grade router with a properly configurable firewall costs between £100 and £500 depending on your requirements. For most small businesses, the router provided by their broadband provider, combined with properly configured software firewalls on each device, is sufficient — but you need to verify that default passwords have been changed and unnecessary services have been disabled.

Endpoint protection: If you do not already have antivirus or endpoint detection and response (EDR) software on all devices, you will need to deploy it. Microsoft Defender, included with Windows 10 and 11, meets the basic requirements when properly configured and costs nothing extra. Third-party EDR solutions typically run between £2 and £8 per device per month. Our features page outlines the endpoint protection options we provide as part of SOC in a Box.

Software updates and patching: Under the 2026 Danzell requirements, critical patches must be applied within 14 days across your entire estate. If you do not have a systematic approach to patching — many small businesses do not — you may need to invest in a patch management tool or process. Basic patch management for Windows devices can be handled through Windows Update for Business at no additional cost, but it requires proper configuration and monitoring.

2. Staff Time

This is the cost that almost never appears in anyone's pricing guide, yet it is often the largest single expense for a small business pursuing Cyber Essentials. Someone in your organisation needs to understand the requirements, audit your current setup against the five controls, coordinate any remediation work, complete the self-assessment questionnaire, and manage the relationship with the Certification Body if questions arise during assessment.

For a micro business with a simple IT environment, this might take 8–15 hours of effort spread over a few weeks. For a small business with 20–50 employees, multiple cloud services, and a mix of device types, 20–40 hours is more realistic. If you value that time at £30–£50 per hour (a reasonable internal cost for a senior team member), the staff time component alone could be £400–£2,000.

First-time certification always takes longer than renewal. Once you have been through the process, you understand the questions, you know where your documentation is, and maintaining compliance becomes part of your routine. Renewal preparation typically takes 30–50% less time than the initial effort.

3. External Support and Consultancy

Many small businesses choose to engage external help, either because they lack in-house IT expertise or because they want to pass first time without the uncertainty of figuring it out alone. External support comes in several flavours:

NCSC Cyber Advisors are assured by the National Cyber Security Centre to provide small and medium-sized businesses with reliable, cost-effective advice. They follow a strict code of conduct to ensure advice is proportionate. Costs vary by advisor but are generally reasonable.

Certification Body support packages are offered by many of the 400+ licensed Certification Bodies across the UK. These bundle the assessment fee with guided preparation, gap analysis, and hands-on help completing the questionnaire. Prices typically range from £500 to £1,200 for standard Cyber Essentials, depending on the level of support included.

Independent IT consultants can help with both preparation and remediation. Hourly rates vary widely — from £75 to £200+ per hour depending on the consultant's experience, location, and the complexity of the work. For a straightforward gap analysis and remediation plan, budget £500–£1,500. For full hands-on remediation and guided assessment completion, £1,500–£3,500 is realistic.

Whether you need external support depends entirely on your internal capabilities. If you have a competent IT person or managed service provider already looking after your systems, you may need nothing beyond the assessment fee. If IT is not your strength and you have never engaged with cyber security formally, the investment in professional guidance can save you far more than it costs by avoiding failed assessments, wasted time, and the risk of thinking you are compliant when you are not.

Worked Budget Examples by Business Size

To make the Cyber Essentials cost UK small business picture concrete, here are realistic total budgets for three different types of small business. These are based on typical scenarios we see across the UK small business market.

Scenario 1: Solo Consultant / Micro Business (3 employees)

A small consultancy with three staff, all using company laptops with Microsoft 365, working primarily from home. The business has a simple setup: one broadband connection with a standard router, three Windows 11 laptops, Microsoft 365 Business Basic, and a cloud-based accounting tool.

IASME assessment fee: £320 + VAT (£384 inc. VAT). Remediation costs: likely minimal — enable MFA on Microsoft 365 and the accounting tool (free), verify Windows Defender is active and configured (free), check router firewall settings (30 minutes of time). External support: probably unnecessary for this size and complexity. Staff time: approximately 8–12 hours for preparation and assessment completion. Estimated total: £384–£700 including VAT and staff time valued at £35/hour.

Scenario 2: Growing Business (25 employees)

A professional services firm with 25 staff across two offices. A mix of laptops and desktops, Microsoft 365 Business Premium, a CRM system, cloud storage, and a VoIP phone system. Two employees have admin access they probably should not have, and three machines are running Windows 10 that is approaching end-of-life status.

IASME assessment fee: £440 + VAT (£528 inc. VAT). Remediation: remove unnecessary admin accounts (1 hour), enable MFA across all cloud services including CRM and VoIP (half day), plan Windows 10 upgrade path — no immediate cost if still receiving security updates, but budget for future upgrades. Potential M365 licence adjustment if conditional access is needed: ~£150/month additional. External support: a Certification Body support package at ~£300–£500 on top of the assessment fee would provide useful guidance. Staff time: approximately 25–35 hours. Estimated total: £1,500–£3,000 including VAT, support, and staff time.

Scenario 3: Established SMB (80 employees)

A manufacturing or distribution company with 80 employees, a head office, a warehouse with networked devices, multiple cloud services, legacy line-of-business applications, and a mix of managed and unmanaged devices including tablets and phones used on the warehouse floor.

IASME assessment fee: £500 + VAT (£600 inc. VAT). Remediation: this is where costs can escalate. Legacy applications may need upgrading or isolating. Unmanaged devices need to be brought into scope or genuinely segregated. MFA deployment across 80 users and multiple cloud services requires careful planning. Budget £2,000–£5,000 for remediation depending on the current state of the environment. External support: strongly advisable for this complexity level. A full gap analysis, remediation plan, and guided assessment: £1,500–£3,000. Staff time: 40–60 hours across IT and management. Estimated total: £4,000–£9,000 including VAT, remediation, support, and staff time.

These figures might seem wide-ranging, and they are — because the total Cyber Essentials cost UK small business organisations face depends far more on the current state of their IT environment than on the certification fee itself. A well-managed micro business might spend under £400 in total. A poorly-managed 80-person company might spend £9,000 or more. But in both cases, the money is being spent on making the business genuinely more secure, not on bureaucracy.

How to Reduce Your Cyber Essentials Costs

There are legitimate, practical ways to bring your costs down without compromising on security or your chances of passing the assessment.

Use the free resources first. The IASME Cyber Essentials Readiness Tool is free and produces a tailored action plan. The NCSC's Small Business Guide, Exercise in a Box, and Cyber Action Plan tool are all free. The assessment questions and Requirements for IT Infrastructure document can be downloaded for free from the IASME website. Work through all of these before you spend a penny on external help.

Fix the easy things yourself. Enabling MFA, changing default passwords, removing unnecessary admin accounts, checking firewall settings, and verifying that Windows Defender is active and up to date are all tasks that any reasonably capable person can do with the help of the NCSC's step-by-step guidance. You do not need to pay a consultant for these.

Use what you already have. Microsoft Defender is included with Windows 10 and 11 and meets the malware protection requirements when properly configured. Windows Update for Business handles patch management. The built-in Windows Firewall is sufficient for endpoint protection. Your broadband router almost certainly has a firewall — you just need to make sure it is configured correctly. Do not buy new security tools unless you genuinely need them.

Choose the right level of certification. If no client, contract, or regulation requires Cyber Essentials Plus, do not pay for it. Standard Cyber Essentials is a legitimate, respected certification that satisfies the vast majority of requirements. You can always upgrade to Plus later if the need arises.

Get multiple quotes for Plus. If you do need Cyber Essentials Plus, get at least three quotes from different Certification Bodies. Pricing can vary by 30–50% for the same scope, and the cheapest option is not necessarily the worst — nor is the most expensive necessarily the best. Look for assessors who have experience with businesses of your size and type.

Time your certification wisely. If you are not under deadline pressure, take the time to prepare thoroughly before creating your assessment account. A failed first submission is not the end of the world — you get one free resubmission — but if your remediation needs are significant, it may be more cost-effective to address them first and certify when you are confident of passing.

Plan for renewal from day one. Cyber Essentials is valid for twelve months. If you maintain your controls throughout the year — keeping software updated, maintaining MFA, managing user access — renewal becomes a quick, low-cost exercise rather than an annual scramble. The assessment fee at renewal is the same as initial certification, but your preparation time and remediation costs should be significantly lower.

The Cost of NOT Getting Certified

Any discussion of Cyber Essentials cost UK small business budgets would be incomplete without considering the alternative: what it costs to do nothing.

The UK Government's Cyber Security Breaches Survey found that 43% of businesses experienced a cyber security breach or attack in the past twelve months. The direct mean cost of a cyber crime incident, excluding phishing, is around £1,970 — but that is the mean across all sizes, including well-resourced enterprises that contain incidents quickly. For a small business without proper defences or an incident response plan, the real cost is typically far higher.

The average cost to remediate an attack against a UK business is estimated at £21,000. For ransomware — which doubled in prevalence in 2025 — the average ransom demand has climbed to approximately £115,000, and paying the ransom does not guarantee recovering your data. Globally, the average breach cost for businesses under 500 employees is approximately £2.7 million when you factor in downtime, investigation, legal costs, regulatory fines, customer notification, increased insurance premiums, and lost business.

And then there is the statistic that should make every small business owner pay attention: 60% of small businesses that suffer a major cyber attack close within six months. Not because the attack itself is always catastrophic, but because the combination of financial loss, operational disruption, reputational damage, and lost customer confidence creates a compounding effect that smaller businesses simply cannot absorb.

Set against those numbers, the Cyber Essentials cost UK small business certification represents is not an expense — it is one of the most cost-effective risk reduction investments available to any UK business.

Cost Comparison: Cyber Essentials vs Other Security Investments

To put the cost in perspective, here is how Cyber Essentials compares to other common security-related expenses for UK small businesses:

Standalone cyber insurance: £300–£1,500+ per year depending on cover level, business size, and risk profile. Cyber Essentials includes up to £25,000 of cyber liability cover for free with certification for eligible businesses.

A single IT support call-out: £75–£200 per visit for most IT support companies. The entire Cyber Essentials certification fee for a micro business (£320 + VAT) is comparable to two call-outs.

A penetration test: £2,000–£10,000+ depending on scope. Useful but not a substitute for baseline controls, and not required for most small businesses.

A data breach: Average remediation cost of £21,000 for UK businesses. A single breach costs more than a decade of Cyber Essentials certifications.

Managed SOC monitoring: £800–£3,000 per month for continuous threat detection and response. This is a complementary investment that adds the detection layer Cyber Essentials does not provide. Our SOC for SMB guide explains how managed monitoring works alongside certification to give small businesses enterprise-grade protection at a fraction of the cost.

Lost contract revenue: Difficult to quantify, but increasingly real. If a client requires Cyber Essentials and you do not have it, you are excluded from the tender before the conversation starts. For businesses that sell to government, the NHS, or larger corporates, a single lost contract can dwarf the entire cost of certification many times over.

What About the April 2026 Changes — Do They Affect Costs?

The Danzell update (version 3.3) that took effect on 27 April 2026 did not change the IASME certification fees. The official assessment prices remain the same. However, the stricter enforcement in three areas could indirectly increase costs for some businesses:

MFA is now an automatic failure. If any cloud service offers MFA and you have not enabled it, you fail — no warnings, no remediation window. For businesses that have been avoiding MFA deployment because of perceived complexity or employee pushback, there is now a hard requirement to invest the time and potentially the licence costs to enable it universally. If you need to upgrade Microsoft 365 plans to access conditional access policies, that adds £3–£10 per user per month.

Cloud services cannot be excluded from scope. Businesses that previously narrowed their certification scope to avoid including cloud platforms now need to include them. This might reveal additional remediation needs — insecure configurations, missing MFA, or cloud admin accounts with weak access controls.

14-day patching is strictly enforced. Two patching questions now carry automatic failure criteria. If your patching process is informal or manual, you may need to invest in tooling or processes to ensure critical updates are applied within the required timeframe across your entire device estate.

For businesses that were already following good practice, the 2026 changes add minimal cost. For those that were passing certification with marginal compliance, the tightened rules may require genuine investment in bringing their environment up to standard. Our Cyber Essentials Certification UK guide provides a detailed walkthrough of every change and how to prepare.

Annual Renewal: What It Costs Year After Year

Cyber Essentials certification is valid for twelve months. To maintain your certification, your directory listing, and your complimentary insurance, you need to renew annually.

The good news is that renewal fees are identical to initial certification fees — the same IASME fee bands apply. At renewal, you complete a fresh self-assessment against the current version of the question set, which means if the requirements have been updated since your last certification, you will be assessed against the new standards.

The better news is that renewal is significantly less expensive in total than first-time certification. If you have maintained your controls throughout the year, there should be minimal remediation needed. Your staff will be familiar with the questions and the process. Preparation time typically drops by 30–50% compared to the initial effort.

The key to keeping renewal costs low is treating Cyber Essentials as an ongoing practice rather than an annual event. Keep software updated continuously, maintain MFA on all cloud services, review user access when staff join or leave, and document any changes to your IT environment as they happen. Do this, and renewal becomes a quick, routine exercise rather than a stressful catch-up.

Should You Do It Yourself or Get Help?

This is ultimately a question of capability and confidence, and there is no single right answer. Here are guidelines based on what we see working for businesses of different sizes and situations:

Self-led works well when: you or someone in your team is comfortable with IT, your environment is simple (fewer than 20 devices, one or two cloud services, no legacy applications), you have time to work through the NCSC guidance and IASME resources, and you are not under tight deadline pressure.

External support is worth the investment when: no one in the business has IT security experience, your environment is complex (multiple locations, legacy systems, diverse cloud services, mixed device types), certification is tied to a specific tender or contract deadline, you tried the self-led route and got stuck or failed, or the cost of your team's time exceeds the cost of external help.

A middle ground that works well for many small businesses is to use the free resources and attempt the self-assessment yourself, but engage a Certification Body for their supported assessment package. This typically costs £300–£500 on top of the base fee and gives you access to an assessor who can help you understand the questions and how they apply to your specific setup — without the higher cost of independent consultancy.

Making the Business Case: Return on Investment

If you need to justify the Cyber Essentials cost UK small business investment to a board, partners, or yourself, here is the case in hard numbers:

For a small business with 25 employees, a realistic all-in first-year cost of £2,000–£3,000 delivers: certification that unlocks government and enterprise contracts worth potentially tens or hundreds of thousands of pounds, cyber liability insurance worth £300–£500 per year included for free, a demonstrated reduction in breach risk — Cyber Essentials controls protect against an estimated 80% of common attacks, compliance with Procurement Policy Note 014 for government contracting, supply chain credibility with larger clients increasingly requiring baseline certification, and a structured approach to security that reduces the likelihood of a £21,000+ incident remediation bill.

At renewal, the cost drops to the assessment fee plus minimal staff time — perhaps £600–£800 all in. The return compounds year after year as you maintain compliance, retain clients, win new contracts, and avoid the catastrophic costs of an undefended breach.

For businesses that also invest in continuous monitoring through a managed SOC service, the combination provides both the preventive baseline that Cyber Essentials mandates and the detection and response capability needed to catch threats that get through. It is the most cost-effective layered defence available to a UK small business in 2026.

Frequently Asked Questions About Cyber Essentials Cost

Can I get Cyber Essentials for free?

The assessment itself has a fixed fee starting at £320 plus VAT. However, all preparation resources — the readiness tool, assessment questions, requirements documents, and NCSC guidance — are available for free. If your IT environment already meets the five controls, your only out-of-pocket cost is the assessment fee.

Is the included cyber insurance really free?

Yes. Any UK organisation with turnover under £20 million that achieves Cyber Essentials certification covering their whole organisation automatically receives cyber liability insurance arranged through IASME. It includes 24/7 incident response support and coverage up to £25,000. There is no separate application or payment — it is included with your certification for the twelve months it is valid.

What happens if I fail the assessment?

For standard Cyber Essentials, you receive one free opportunity to correct and resubmit. The assessor will provide feedback on which areas did not meet the requirements, so you know exactly what to fix. Each resubmission is reviewed within three working days. If your second submission also fails, you would need to start a new assessment. For Cyber Essentials Plus, there is no free resubmission — a failed audit typically means paying for a reassessment, which is why thorough preparation is especially important for Plus.

Do I need Cyber Essentials Plus, or is standard enough?

Standard Cyber Essentials is sufficient for most small businesses and satisfies the majority of contractual and regulatory requirements. Only pursue Plus if a specific client, contract, or regulation requires it, or if you want the higher assurance of independent technical verification. You can always start with standard and upgrade to Plus later.

How much should I budget for annual renewal?

Budget the IASME assessment fee for your size band (£320–£600 + VAT) plus approximately 50–70% of the staff time you spent on initial certification. If you maintain your controls throughout the year, remediation costs at renewal should be minimal or zero.

Conclusion: It Costs Less Than You Think, and Less Than Doing Nothing

The Cyber Essentials cost UK small business owners face in 2026 is genuinely modest. For a micro business, total first-year costs can be under £500. For a typical small business, £1,500–£3,000 covers everything including remediation and staff time. For a more complex SMB, £4,000–£9,000 represents a comprehensive security upgrade that goes far beyond ticking a box.

Compare that to the average £21,000 cost of remediating a cyber attack, the £115,000 average ransomware demand, or the incalculable cost of losing 60% of your business within six months of a major breach. The maths is unambiguous.

Cyber Essentials is not expensive. A breach is expensive. Not winning contracts because you lack certification is expensive. Discovering too late that your business has been compromised for months because no one was watching — that is expensive.

Start with the free readiness tool. Work through the five controls. Get certified. Then build from there with continuous monitoring through a service like SOC in a Box to add the detection and response layer that completes your defence.

Your business is worth protecting. And protecting it costs less than you think.