Quick answer: Cyber essentials cost UK 2026: IASME fee from £300 + VAT, full first-year spend £1,500–£3,500 for most SMEs, Cyber Essentials Plus £1,500–£8,000 + VAT. Tier breakdown, hidden costs and managed pricing from £103/month.
Last updated: April 2026 | Reviewed by: Connection Technologies team
Cyber Essentials Cost UK 2026: Real Pricing for CE & CE+
The cyber essentials cost for a UK business in 2026 lands somewhere between £300 and £500 + VAT for the basic certification, and £1,500 to £8,000 + VAT for Cyber Essentials Plus — but the IASME certification fee is rarely the full picture. Add prep work, remediation, MFA tooling, EDR licences and (often) consultancy, and the real first-year spend on Cyber Essentials certification for a typical 25-person SME is closer to £1,800–£3,500.
This guide breaks the cyber essentials cost down line by line: IASME tier fees, what determines your tier, prep / remediation costs, the cost of Cyber Essentials Plus on top, hidden extras most buyers miss, and how the managed model from Connection Technologies compares (RRP from £103/month all-in).
Cyber Essentials cost in 2026 — official IASME tier fees
Cyber Essentials is administered by IASME on behalf of the NCSC. Since January 2022, IASME has used a tiered pricing model based on organisation size. The cost of Cyber Essentials in 2026 is:
| Tier | Organisation size | Cyber Essentials cost (ex VAT) |
|---|---|---|
| Micro | 0 – 9 employees | £300 |
| Small | 10 – 49 employees | £400 |
| Medium | 50 – 249 employees | £450 |
| Large | 250+ employees | £500 |
These cyber essentials prices are the IASME assessment fee only and cover one passing attempt. If you fail and need to resubmit, you get one free re-submission within 48 hours of the original assessor verdict — after that, you pay the full cyber essentials certification cost again.
What’s included in the IASME cyber essentials cost
- Access to the IASME assessment portal and the 64-question Self-Assessment Questionnaire (SAQ)
- Review of your answers by a certified IASME assessor
- One pass / fail verdict, with one free re-submission inside 48 hours
- The Cyber Essentials certificate and badge if you pass
- Free £25,000 cyber-liability insurance (UK-domiciled businesses with under £20m turnover that certify the whole organisation)
Cyber Essentials Plus cost — the audited tier
Cyber Essentials Plus is the independently-audited tier of the same scheme. It uses external vulnerability scans plus an authenticated sample audit of your laptops, servers and mobile devices. The cyber essentials plus cost in 2026 typically runs:
| Devices in scope | Cyber Essentials Plus cost (ex VAT) |
|---|---|
| 1 – 20 devices | £1,500 – £2,500 |
| 21 – 50 devices | £2,500 – £4,000 |
| 51 – 100 devices | £4,000 – £6,000 |
| 101 – 250 devices | £5,000 – £8,000 |
| 250+ devices | POA — typically £8,000+ |
Cyber Essentials Plus pricing isn’t fixed by IASME like the basic tier — every certification body sets its own fee. You also pay the basic Cyber Essentials cost first, because CE+ requires a passing CE certificate as the prerequisite. See our full Cyber Essentials Plus guide for the audit timeline.
The hidden costs of Cyber Essentials nobody tells you about
The IASME assessment fee is the headline cyber essentials cost — but for most SMEs it’s only 15-30% of the real first-year spend. Here are the hidden costs:
1. Pre-assessment / gap analysis (£0 – £1,500)
If you complete the SAQ blind, expect to fail. A pre-assessment gap analysis from a Cyber Essentials consultancy typically costs £750–£1,500 for a small business and identifies the controls you’ll fail on before you submit. Doing the gap analysis yourself is free, but the time cost is 6–12 hours of senior IT time.
2. Multi-factor authentication tooling (£0 – £6/user/month)
Cyber Essentials requires MFA on all cloud services (M365, Google Workspace, your accounting platform, your CRM, etc). Microsoft Authenticator and Google Authenticator are free. If you need a centralised MFA platform like Duo, budget £3–£6/user/month.
3. Endpoint protection / EDR (£3 – £8/user/month)
Built-in Microsoft Defender meets the malware-protection control on Windows. If you have a Mac fleet, Linux servers or want a single management pane, you’ll need a managed EDR product — Microsoft Defender for Business is £2.20/user/month, SentinelOne and CrowdStrike are £6–£10.
4. Patching tooling (£0 – £4/user/month)
Windows Update for Business and macOS auto-update are both free. The control requires patches inside 14 days of release, so you need a way to enforce it — Microsoft Intune, Action1 or NinjaOne for £2–£4/user/month.
5. Remediation labour (£500 – £3,000)
The biggest hidden cyber essentials cost. You’ll likely need to: enable MFA on every service, remove ex-staff accounts, retire unsupported software (Windows 10 after October 2025, Office 2016, Java 8), close exposed RDP, change default router admin passwords, and document a software inventory. A small-business IT partner typically charges £500–£3,000 for the remediation sprint depending on findings.
6. Consultancy / Cyber Essentials body fees (£500 – £2,500)
If you don’t have in-house IT, a Cyber Essentials consultancy will run the SAQ for you. Expect £500 for a hand-holding service on the SAQ and £1,000–£2,500 for full prep + submission for Cyber Essentials Plus.
Real cyber essentials cost — three SMB scenarios
| Scenario | IASME fee | Hidden costs | Total first-year cost |
|---|---|---|---|
| 5-person consultancy — M365, MFA already on, no Mac | £300 | £250 (light remediation) | £550 + VAT |
| 25-person agency — M365, mixed Win/Mac, BYOD phones | £400 | £1,500 (EDR, MDM, remediation) | £1,900 + VAT |
| 80-person manufacturer — on-prem servers, legacy line-of-business app | £450 | £3,500 (server patching, app upgrades, consultancy) | £3,950 + VAT |
For Cyber Essentials Plus, add £1,500–£8,000 on top depending on device count. So the 25-person agency above is looking at £3,400–£4,400 first-year for CE + CE+ combined.
The managed alternative — fixed cyber essentials cost from £103/month
The DIY route is workable if you have in-house IT and time. For everyone else, the managed model rolls every line item above into a single per-user monthly fee:
- Compliance agent on every device that auto-checks the five technical controls daily
- Patching, EDR, MFA and policy templates bundled in
- SAQ submission, audit prep and annual renewal handled for you
- Free £25,000 cyber-liability insurance for eligible UK businesses
Connection Technologies’ RRP is £103/month for 1–9 users, scaling to £475/month for 100–249 users. See the full Cyber Essentials & CE+ pricing tables.
Cyber Essentials cost vs the cost of not certifying
The DCMS Cyber Security Breaches Survey 2025 puts the average cost of a single cyber breach at £15,300 for a UK SME. The average ransomware demand on a UK SME is now £25,000+. By comparison, Cyber Essentials at £300 + remediation typically pays for itself the first time it forces you to enable MFA on M365 admin accounts.
You’ll also need it for: most UK central government contracts, an increasing number of enterprise procurement RFPs, NHS supplier frameworks, MoD subcontracts and a growing list of cyber-insurance underwriters who now refuse to quote without it.
Get Cyber Essentials & Cyber Essentials Plus — fully managed
Connection Technologies runs Cyber Essentials and Cyber Essentials Plus for UK businesses end-to-end. Our compliance agent automates the five technical controls across every Windows, macOS, iOS and Android device — we submit, audit and renew so you stay certified without the paperwork. RRP from £103/month with free £25,000 cyber-liability insurance for eligible UK businesses.
Skip the Cyber Essentials paperwork
We handle the five controls, the questionnaire, the audit and the renewal — RRP from £103/month.
Frequently asked questions about cyber essentials cost
The IASME assessment fee for Cyber Essentials in 2026 ranges from £300 + VAT (micro, 0-9 staff) to £500 + VAT (large, 250+ staff). For most SMEs (10-49 staff) the cost is £400 + VAT. Add prep, remediation and tooling and the realistic total first-year cost for a 25-person business is £1,500–£3,000.
Cyber Essentials Plus costs £1,500–£8,000 + VAT depending on device count, plus the basic Cyber Essentials fee underneath. CE+ is independently audited via external vulnerability scans and an authenticated sample of your devices, so pricing is set by each certification body rather than IASME.
The IASME fee covers access to the assessment portal, the 64-question SAQ, one assessor review, one free re-submission within 48 hours, the certificate and badge if you pass, and free £25,000 cyber-liability insurance for eligible UK businesses with under £20m turnover.
Yes — the IASME fee is typically only 15-30% of the real first-year cost. Expect additional spend on multi-factor authentication tooling, endpoint protection, patching automation, remediation labour and (often) consultancy or pre-assessment gap analysis. Plan for £1,000–£3,000 of “hidden” cost on top of the IASME fee.
For most UK SMEs, yes. Cyber Essentials is mandatory for many central-government contracts, an increasing number of enterprise procurement RFPs and several cyber-insurance underwriters. The DCMS puts the average UK SME breach at £15,300 — Cyber Essentials at £300–£500 plus remediation routinely pays for itself the first time it forces MFA on M365 admin accounts.
Yes — Cyber Essentials and Cyber Essentials Plus fees, related consultancy and any tooling you buy to pass (EDR, MFA, MDM) are all allowable business expenses for UK Corporation Tax purposes. VAT-registered businesses can also reclaim the VAT.
Related Reading
More from the Connection Technologies blog.