Cyber Essentials vs Cyber Essentials Plus: Which One Does Your UK Business Actually Need?
You have been sent a tender document. Somewhere on page 14 there is a line that says "Suppliers must hold Cyber Essentials" or "Suppliers must hold Cyber Essentials Plus." Those two words change everything: the cost, the timeline, the audit depth, and whether your bid is even valid. Most UK SMB owners discover the difference the hard way, usually the week before a submission deadline. With 43% of UK businesses suffering a breach in 2025 (Cyber Security Breaches Survey) and 97% still not holding either certification, the gap between "aware of it" and "certified for it" has become a commercial filter. This article breaks down what actually separates the two tiers, which one each buyer type demands, and whether pre-assessment tools genuinely compress the timeline or just add another subscription to your stack.
What Is the Real Difference Between Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials is a self-assessment. You answer a questionnaire covering the five core controls (firewalls, secure configuration, user access control, malware protection, security update management), you sign off that your answers are accurate, and a certification body reviews the paperwork. That is it. Cyber Essentials Plus keeps the same five controls but adds a hands-on technical audit by an external assessor who runs vulnerability scans against your machines, tests your patching, checks malware protection on a sample of devices, and validates MFA on cloud services. The framework is identical. The evidence standard is not. One trusts your word. The other verifies it. That distinction is why a Plus certificate costs roughly three to five times more than the basic tier and why insurers increasingly ask which one you hold before quoting your renewal premium.
Which Certification Do UK Government Contracts Actually Require?
The rule has been steady since 2014: any central government contract involving the handling of personal information or delivery of ICT products and services requires suppliers to hold Cyber Essentials as a minimum. Where contracts involve sensitive or personal data at scale, buyers specify Cyber Essentials Plus. MOD contracts, Crown Commercial Service frameworks handling citizen data, and most NHS procurement lean Plus. Private supply chains are a different animal. Large enterprises cascading requirements down (M&S, Co-op, Harrods all tightened vendor controls after their combined 300M+ GBP incident impact in 2025) typically demand Plus from Tier 1 suppliers and basic Cyber Essentials from Tier 2. Read the tender carefully: "equivalent" language often means the buyer will accept ISO 27001 or SOC 2 in lieu, but only if the mappings are documented. The multi-framework overlap strategy saves serious duplicate work here.
How Much Does Each Tier Actually Cost in 2026?
Certification fees alone are the tip of the iceberg. Basic Cyber Essentials runs from 320 GBP to 600 GBP depending on company size. Cyber Essentials Plus sits between 1,500 GBP and 3,500 GBP for most SMBs, rising sharply if you have more than 50 devices or a messy cloud estate. That is the invoice. The real cost is remediation. 41% of first-time Plus applicants fail the initial audit (MoneyGeek reports a near-identical 41% denial rate on cyber insurance applications, which is not coincidence: both checks look for the same gaps). Compare that to what an incident costs you: the average cyber claim payout is $345,000 (Atlantic Digital). Compare it to a traditional MSP at 100-250 EUR/user/month, or to Vanta and Drata at 7,500-50,000 EUR/year with no actual remediation included. Our IT cost calculator shows the full-stack comparison for your headcount.
| Item | Cyber Essentials | Cyber Essentials Plus |
|---|---|---|
| Assessment type | Self-assessment questionnaire | Hands-on technical audit |
| Certification fee (typical SMB) | 320-600 GBP | 1,500-3,500 GBP |
| Vulnerability scan | Not included | Required |
| Audit duration | Paperwork review (days) | On-site / remote testing (1-3 days) |
| Validity | 12 months | 12 months |
| Typical buyer demand | Public sector basic contracts, Tier 2 supply chain | MoD, NHS data-heavy, Tier 1 supply chain, insurers |
| First-time pass rate | ~80% | ~59% |
Why Do So Many SMBs Fail the Plus Audit on First Attempt?
The failure pattern is predictable. An assessor connects, runs an authenticated scan, and finds the same four issues across nearly every failed audit: unpatched third-party software (Adobe Reader, Zoom, Java runtime leftovers), missing MFA on at least one cloud admin account, high-risk ports open on a router nobody reconfigured since installation, and a device with expired malware protection because a licence lapsed. These are not exotic problems. They are the residue of an IT setup that nobody checks weekly. 77% of IT admins describe their job as stressful (JumpCloud), and the stress is exactly why patch cycles slip. The five Cyber Essentials controls map almost perfectly onto a standard cybersecurity checklist for SMBs, and running through that checklist two weeks before booking the audit raises your pass probability from coin-flip to near-certain. Fail once and you pay for the re-test.
Photo: Pexels
Do Automated Pre-Assessment Tools Actually Cut Preparation Time?
Short answer: yes, but only if the tool does remediation rather than reporting. Vanta and Drata map your controls, tell you what is missing, and hand you a PDF. You still need to patch the machines, enforce MFA, and reconfigure the firewall yourself, which is exactly the work that took you weeks in the first place. A tool that scans your estate, identifies the gap, and fixes it the same day is a different category. Fusion AI connects in about 45 minutes, produces its first gap report within 48 hours, and executes most of the standard remediations (patch deployment, MFA enforcement, malware signature updates, firewall rule tightening) without a human ticket. Teams hitting the five Cyber Essentials controls this way reach audit-ready status inside 30 days rather than the typical 90-120. The cost of not having compliance makes the maths obvious quickly.
Is Cyber Essentials Plus Worth the Extra Spend for a Small Business?
If you sell to government, regulated industries, or any enterprise with a serious procurement function, Plus is not optional. 67% of vendors lost contracts in 2024 due to missing compliance proof (Marsh McLennan), and "we have Cyber Essentials" increasingly triggers a follow-up question: "Plus, or just basic?" Insurers treat Plus as a strong signal too: holding it correlates with lower premiums and a higher chance of approval on first submission. If you are a purely B2C service with no enterprise clients and no regulated data, basic Cyber Essentials plus a clean backup and incident response posture may be enough for the next 12 months. But with ICO fines jumping 7x in 2025 (from 2.7M to 19.6M GBP) and 1 in 3 SMBs hit by a cyberattack in 2024 (BizTech Magazine), the gap between "enough for now" and "enough when something goes wrong" is closing fast.
What Are the Five Controls Both Tiers Check?
Firewalls: boundary firewalls and software firewalls must be in place and properly configured with default passwords changed. Secure configuration: default accounts disabled, unnecessary software removed, auto-run disabled on removable media. User access control: admin accounts separated from daily user accounts, MFA on all cloud services, access reviewed quarterly. Malware protection: endpoint antivirus active with signatures updated daily, or application allow-listing enforced. Security update management: high and critical patches applied within 14 days of vendor release. These five read like common sense. They are also the same controls cyber insurers verify before renewing a policy, which is why the four controls your insurer will actually check covers four out of five of them. Pass Cyber Essentials cleanly and your compliance is the natural byproduct of good IT management, not a parallel project.
Photo: Pexels
How Does This Compare to Paying an MSP vs Using Fusion AI?
| Approach | Monthly cost (25 users) | Prep time to CE+ | Remediation included | Re-audit risk |
|---|---|---|---|---|
| Traditional MSP | 2,500-6,250 EUR | 90-120 days | Yes, manual tickets | Medium |
| Vanta / Drata | 625-4,165 EUR + consultant fees | 60-90 days | No (reporting only) | High |
| Fusion AI | Flat SMB tier | ~30 days | Yes, automated | Low |
| DIY | Owner time | 120+ days | Self | Very high |
Traditional MSPs bill per user and per ticket, so your Cyber Essentials Plus prep becomes a line-item project with a separate quote. Tooling-only platforms expose the gap but leave you to close it. The maths of breach risk is brutal: 1 in 3 SMBs hit, $345,000 average claim, 43% of UK businesses breached in 2025. A one-year certification renewal cycle that ends in failure costs more than the remediation subscription that would have prevented the fail. Our pricing page lays out the exact numbers for SMB brackets.
What About Related UK and EU Obligations?
Cyber Essentials is one framework among several UK and EU SMBs now juggle. If you have more than 50 employees or operate in a sector covered by the incoming UK Cyber Security and Resilience Bill, you will face additional reporting and control obligations beyond Cyber Essentials Plus. If you trade with EU customers, NIS2 probably applies to your business (64% of French SMBs still don't know what NIS2 is, which tells you how quietly this regulation is rolling out). 82.6% of phishing emails now contain AI-generated content, cyberattacks jumped 49% in H1 2025 (Identity Week), and "we are too small to be a target" is a statement that stopped being true years ago. Run the NIS2 quiz or the cybersecurity quiz to find out where you actually stand before a procurement officer asks.
Ready to Find Out Where Your Gaps Are?
The difference between Cyber Essentials and Cyber Essentials Plus is ultimately a question of evidence: whose word you take for it. Buyers are taking fewer words on trust and asking for more audits, and the SMBs winning contracts in 2026 are the ones that pass the audit the first time. Peace of mind is not a marketing line here; it is the difference between sleeping at night and rewriting your business plan after a failed bid or a ransomware event. If you want to know which tier your business actually needs, which controls you are missing today, and how long a clean Plus pass would take, run our free security scan. It connects in 45 minutes, produces a gap report in 48 hours, and tells you exactly what stands between you and a certificate. Then you can decide whether basic is enough, or whether Plus is the door you need to walk through.