Quick Summary
- Cyber Essentials: £320 to £600 + VAT depending on company size
- Cyber Essentials Plus: £1,499 to £4,250+ VAT depending on size and complexity
- Certificate valid: 12 months, then annual renewal at the same cost
- Free bonus: Cyber liability insurance up to £25,000 included
- Hidden costs: Fixing your systems if they don't pass
I get asked about costs a lot. Makes sense. You want to know what you'll pay before you start.
Good news. Cyber Essentials is cheap. IASME sets the prices. They run the scheme for the government.
Here's what you'll pay in 2026.
Cyber Essentials Cost by Company Size
These are the official prices. They apply to 2026 under the Willow scheme update:
| Organisation Size | Employees | Certification Cost |
|---|---|---|
| Micro | 0-9 | £320 + VAT |
| Small | 10-49 | £440 + VAT |
| Medium | 50-249 | £500 + VAT |
| Large | 250+ | £600 + VAT |
That's the base fee. Some providers add extras for help, which I'll cover below.
What You Get
- Online form you fill in about your security
- Review by an approved assessor
- Certificate that lasts 12 months
- Your name on the official search list
- Free insurance up to £25,000 (if your turnover is under £20 million)
That free insurance surprises people. It's worth the cost on its own.
Cyber Essentials Plus Cost
Plus is harder. Someone tests your systems for real. They run security scans and check your computers.
Here are the typical prices from IT Governance and other providers:
| Organisation Size | Employees | Typical Cost Range |
|---|---|---|
| Micro | 0-9 | £1,499 - £1,650 + VAT |
| Small | 10-49 | £1,999 - £2,250 + VAT |
| Medium | 50-249 | £2,499 - £3,250 + VAT |
| Large | 250+ | £2,999 - £4,250+ VAT |
Important: You must pass basic Cyber Essentials first. You have 3 months to do Plus. Miss that window and you start again.
What You Get with Plus
- Everything from basic Cyber Essentials
- Security scan from outside your network
- Security scan from inside your network
- Tests on some of your computers
- Checks on your internet connection
- Checks that two-step login is working
- Done remotely or in person
Basic vs Plus: Quick Comparison
Not sure which one you need? Here's a simple breakdown:
| Feature | Cyber Essentials | Cyber Essentials Plus |
|---|---|---|
| How it works | You fill in a form | Someone tests your systems |
| Who checks | Assessor reads your answers | Assessor tests for real |
| Security scans | No | Yes |
| Time to complete | 1-3 days | 5-10 days |
| Typical cost (micro business) | £320 + VAT | £1,499+ VAT |
| Best for | Most small businesses | Government contracts, regulated sectors |
| Retakes if you fail | Usually included free | Pay again (no free retakes) |
I've written more about the differences between Cyber Essentials and Cyber Essentials Plus if you want the full breakdown.
Hidden Costs to Plan For
The fee is not the whole story. Here's what else you might pay:
Fixing problems first: If your systems don't pass, you need to fix them. This might mean new software. Or a new router. It can cost nothing or thousands. Depends where you start.
Extra Costs You Might Pay
| What | Cost | Notes |
|---|---|---|
| Help with the form | £150 - £400 | Someone walks you through it |
| Gap check first | £500 - £1,500 | Find problems before you apply |
| Fixing problems | £0 - £5,000+ | New software, routers, etc. |
| Your time | 5-20 hours | Getting info, filling in forms |
| Renewal each year | Same as first time | Certificate only lasts 12 months |
What Trips People Up in 2026
- Windows 10: It's end of life now. You need Windows 11 to pass.
- Old routers: Home routers often don't work. You need proper firewall controls.
- Home workers: The new Willow rules ask about their home networks too.
- Two-step login: It's mandatory for cloud services. No exceptions.
The new UK cyber laws coming in 2026 make this even more important. Directors are now personally liable for security failures.
How to Save Money
Here's what I tell people:
- Prep yourself first. The NCSC has free guides. Read them before you pay anyone.
- Fix easy stuff yourself. Update software. Turn on two-step login. Check your firewall.
- Pick the right level. Most small firms only need basic. Don't pay for Plus if you don't need it.
- Compare what's included. Some providers bundle help into the price. Check what you get.
- Plan for renewal. It expires after 12 months. Budget for that from the start.
Free readiness check: Before you spend anything, try my Cyber Essentials Readiness Assessment to see where you stand. It takes a few minutes and shows you what you might need to fix.
Is It Worth It?
Let me put this simply.
The average cyber attack costs UK businesses £1,600 to £3,550. That's from the Government's own data. Some cost way more. One company lost £7 million.
Cyber Essentials costs £320. And you get £25,000 of free insurance with it.
But there's more to it than maths:
- Government contracts: Required for tenders involving sensitive data
- Supply chain requirements: More large companies asking suppliers for it. They'll check your certificate is real
- Insurance discounts: Some insurers reduce premiums for certified businesses
- Customer confidence: Proves you take security seriously
The stats back this up. 92% of certified UK businesses avoid breaches. I've seen businesses win contracts specifically because they had certification and their competitors didn't.
Frequently Asked Questions
For 10-49 staff, the official fee is £440 + VAT. That covers the form and certificate. If you want help, add £150-400. Plus costs £1,999 - £2,250 + VAT for a small business.
Plus costs £1,499 to £4,250+ VAT. It depends on your size. Small firms pay around £1,500. Big firms pay over £3,000. The price covers security scans and real testing of your systems.
Yes. UK firms with under £20 million turnover get free cyber insurance up to £25,000. It comes with your certificate. It covers breach costs and business loss.
Yes. The certificate lasts 12 months. You renew at the same cost each year. Renewal is faster than the first time.
For basic, you get 2 days to fix things and try again free. For Plus, you pay again if you fail. No free retakes. That's why prep matters for Plus.
Yes. Many small firms do basic Cyber Essentials alone. The form is made for business owners, not IT experts. If you get stuck, the NCSC has free guides.
Because someone tests your systems for real. They scan your network. Check your computers. It takes time and skill. You get more proof your security works.
Need Help Getting Certified?
I help UK businesses get ready for Cyber Essentials. Want a chat about where you stand? Happy to help.
Learn About Cyber Essentials