Cyber Essentials vs Cyber Essentials Plus: What’s Changed in 2026?


<< Back to Blogs
19 May 2026

Cyber security in 2026 won’t be defined by one big breakthrough attack—it’ll be defined by the quiet, consistent application of foundational controls.

For UK organisations, the benchmark for this resilience is the Cyber Essentials scheme. But with significant changes arriving in April 2026 under the new ‘Danzell’ standard, the question isn’t just “which certification should we get?” It’s “are we actually ready?”

This guide cuts through the confusion. We’ll explain the real difference between Cyber Essentials (CE) and Cyber Essentials Plus (CE+), break down the costs, and show you what’s changed in 2026—and why it matters for your business.

 

What’s the Real Difference Between Cyber Essentials and Cyber Essentials Plus?

The distinction is simple but crucial: Cyber Essentials is what you say you do. Cyber Essentials Plus is what you prove you do.

Cyber Essentials (CE) is a self-assessed certification. You complete a questionnaire covering five core security controls, an external certifying body verifies your answers, and you’re certified. It’s like an MOT for your cybersecurity—you’re confirming the basics are in place.

Cyber Essentials Plus (CE+) takes this further. After achieving CE, you undergo a rigorous hands-on technical audit by an independent assessor who actively tests your controls. They scan your networks, check your configurations, test your patches, and verify your defences actually work in practice. It’s the difference between saying you have firewalls and proving they block attacks.

For UK organisations, this distinction matters enormously—especially now.

 

The Five Core Controls (Same for Both)

Whether you’re pursuing CE or CE+, both certifications are built on the same five foundational controls:

  1. Firewalls and network segmentation — Your first line of defence against unauthorised external access. Default passwords changed, unnecessary ports closed, configuration hardened.
  2. Secure configuration — Devices and software hardened from default settings. Unused software removed, autorun disabled, security features enabled from day one.
  3. User access controls — Based on the principle of least privilege: users only access what they need. Administrative accounts separate and used sparingly.
  4. Malware protection — Anti-malware, application allow-listing, or sandboxing to prevent malicious code execution.
  5. Patch management — All software licensed, supported, and updated promptly. Critical and high-risk security updates applied within 14 days of release.

The controls themselves haven’t changed. What’s changed is the enforcement rigor and the scope of what must be protected—especially cloud services.

 

 

Cyber Essentials vs Cyber Essentials Plus: Head-to-Head Comparison

Aspect Cyber Essentials (CE) Cyber Essentials Plus (CE+)
Assessment Type Self-assessment questionnaire verified by certifying body Hands-on technical audit by independent assessor
Assurance Level Demonstrates commitment to security; based on your self-declaration Proves controls are implemented and effective; based on independent testing
What Gets Tested Your policies and documented processes Your actual systems, networks, and configurations in practice
Scope Five core controls across defined IT environment Five core controls plus external vulnerability scanning, internal testing, device sampling
Cost £300–£600 + VAT (approx.) £1,500–£4,250+ + VAT (depends on network complexity)
Time to Certification             4–6 weeks typical 6–12 weeks typical (includes assessment, remediation, re-test if needed)
Validity 12 months; annual renewal required 12 months; annual renewal required
Who It’s For Start-ups, smaller SMEs, organisations getting started with formal security Larger SMEs, organisations handling sensitive data, government/corporate contractors

 

Key insight: Cost difference reflects reality. CE+ requires an assessor’s time, technical expertise, and active testing. You’re buying independent verification, not just paperwork.

 

What Changed in April 2026? The Danzell Standard and Why It Matters

The National Cyber Security Centre (NCSC) updated the Cyber Essentials scheme effective 27 April 2026 with new ‘Danzell’ standards (version 3.3 of the Requirements for IT Infrastructure). These aren’t minor tweaks—they’re a significant tightening of expectations.

 

The Three Biggest Changes

1. Mandatory Multi-Factor Authentication (MFA) for Cloud Services

What changed: MFA is now mandatory for all cloud services where it’s available—even if it costs extra.

Previously: MFA was “recommended” for cloud services. Many organisations skipped it if it required additional licensing.

Now: Missing MFA = automatic failure of your assessment. No exceptions.

What this means: If your team uses Microsoft 365, Salesforce, Slack, Google Workspace, or any other cloud platform, MFA must be enabled and enforced for all users. This is no longer optional.

Cost impact: Most cloud providers include MFA at no extra cost, but some (older systems) may charge for premium authentication. Budget for potential licensing upgrades.

2. Stricter Cloud Service Scoping

What changed: All cloud services are now explicitly in scope. You can’t argue a cloud service is “out of scope” just because it’s not on-premises.

Previously: Organisations could sometimes define their “scope” narrowly to exclude certain cloud services.

Now: Any cloud service that stores or processes organisational data must meet the five controls. This includes file storage (OneDrive, Google Drive), email (Microsoft 365), collaboration tools (Teams, Slack), and more.

What this means: You must conduct a complete inventory of all cloud services in use—including shadow IT you might not have known about. Each must be assessed against the five controls.

3. Automatic Failures for Non-Compliance

What changed: Failure to meet MFA and patch management rules now results in an automatic failure. There’s no discretion or partial credit.

Previously: Some flexibility existed for documented exceptions or remediation plans.

Now: If MFA isn’t enabled on cloud services or critical patches aren’t applied within 14 days, your assessment fails. Period.

What this means: You can’t negotiate or explain your way past these controls anymore. They must be implemented before your assessment.

 

Why Did These Changes Happen?

Attackers consistently exploit three weaknesses:

  • Weak or missing MFA — Allows credential-based attacks and account takeovers
  • Unpatched systems — Enables exploitation of known vulnerabilities
  • Unmanaged cloud services — Creates blind spots in security

By enforcing these rigorously, the NCSC is pushing UK organisations to eliminate the low-hanging fruit attackers exploit most.

 

Who Should Get Cyber Essentials? Who Needs Plus?

Choose Cyber Essentials (CE) If:

  • You’re a start-up or very small business (under 20 employees) getting formal security processes in place
  • You’re not yet handling sensitive personal or financial data at scale
  • You’re not required by clients or regulators to prove your security
  • You want to establish a security baseline cost-effectively
  • You have time to work through the self-assessment internally

Realistic timeline: 4–6 weeks from decision to certification.

Choose Cyber Essentials Plus (CE+) If:

  • You’re a mid-market SME (50–1000+ employees) or handling significant customer/sensitive data
  • You bid for government, corporate, or regulated industry contracts (finance, legal, healthcare, etc.)
  • Your clients or partners ask for proof of certified security
  • You want independent verification that your controls actually work
  • You need to demonstrate resilience to stakeholders, insurers, or regulators
  • You’re operating under GDPR, FCA, or PCI-DSS requirements where security audits are expected

Realistic timeline: 8–12 weeks from decision to certification (including potential remediation).

Pragmatic approach: Many organisations start with CE to establish baseline controls, then move to CE+ as they grow or as business requirements demand it. CE+ costs more upfront, but it provides the assurance that competitive tenders and partnerships increasingly require.

Preparing for Cyber Essentials Certification: Your Strategic Steps

Regardless of whether you choose CE or CE+, preparation is the difference between smooth certification and failed assessments. Here’s what’s required:

Step 1: Define Your IT Scope

What you must do:

  • Create a complete inventory of all devices, servers, and cloud services
  • Document which are in-scope for Cyber Essentials (hint: with 2026 Danzell changes, cloud services you previously excluded are now in-scope)
  • Identify network boundaries and external access points

Why it matters: Scope defines what’s assessed. Weak scoping creates failed assessments because assessors find unmanaged assets outside your declared scope.

Step 2: Assess Against the Five Controls

What you must do:

  • Verify firewalls are properly configured with default passwords changed
  • Check that devices are hardened (unnecessary software removed, security settings enabled)
  • Confirm user access follows least-privilege principles
  • Verify anti-malware is installed and active across all devices
  • Check patch management process—are critical updates applied within 14 days?

For CE+: This assessment is more rigorous. An independent assessor will actively test these controls.

Step 3: Implement MFA Across Cloud Services (Critical for 2026)

What you must do:

  • Enable MFA on Microsoft 365, Google Workspace, Salesforce, or any other cloud platform in use
  • Enforce MFA for all users, not just administrators
  • Test that MFA is actually working and users understand how to use it

Cost: Usually included in existing cloud subscriptions, but verify with your providers.

Step 4: Verify Patch Management Process

What you must do:

  • Document your process for applying security updates
  • Verify critical and high-risk patches are applied within 14 days
  • Test this process works (don’t just assume it does)

For CE+: Assessors will review patch history and may send test patches to verify your process works in practice.

Step 5: Conduct a Gap Analysis

What you must do:

  • Against each of the five controls, identify what’s missing or misconfigured
  • Prioritise remediation (fixes that unlock certification vs. nice-to-haves)
  • Create a remediation plan with timeline and ownership

For CE+: This gap analysis is critical because assessor time (and cost) increases if major gaps are found.

Security Assessments and Cyber Essentials Certification: How ITB Helps

This preparation process—defining scope, assessing controls, identifying gaps, implementing fixes—is where many organisations struggle. Not because the controls are complex, but because security maturity is fragmented across IT, operations, and sometimes external vendors.

That’s where expert guidance makes the difference.

At ITB, we help UK organisations prepare for and achieve Cyber Essentials certification by:

  • Scoping your IT environment accurately — We work with your team to identify all devices, servers, and cloud services, ensuring nothing is missed or incorrectly excluded
  • Conducting a security assessment aligned to Cyber Essentials — We assess your current controls against the five key areas, documenting what’s working and what needs attention
  • Creating a remediation roadmap — We prioritise fixes based on impact and effort, giving you a clear plan to close gaps before your formal assessment
  • Supporting your transition to CE+ — If you’re moving beyond CE, we help you prepare for the more rigorous technical audit, reducing surprises and re-test costs

The outcome: You go into your formal Cyber Essentials assessment confident your controls are in place and working. No last-minute scrambling. No failed assessments requiring expensive re-tests.

 

Moving Forward: Your Next Steps

The April 2026 Danzell changes represent a genuine shift in expectations. The era of treating Cyber Essentials as a tick-box compliance exercise is over. These changes enforce the controls that actually matter—the ones attackers exploit every day.

For UK organisations, this is an opportunity. By acting now—auditing your current state, implementing MFA across cloud services, and getting your controls in order—you’re not just chasing a certificate. You’re building genuine resilience.

Here’s what to do:

1. Assess your current state. Understand which five controls you’re strong in and where you have gaps. If you’re using cloud services, MFA must be a priority.

2. Define your scope. Create an inventory of all devices and cloud services in your IT environment. With 2026 Danzell changes, cloud services you previously excluded are now in scope.

3. Choose your path. Decide whether CE or CE+ is right for your business. For most mid-market UK organisations handling customer or sensitive data, CE+ is increasingly the responsible choice.

4. Get expert support if you need it. Preparing for certification—especially CE+—is more effective with guidance. A security assessment aligned to Cyber Essentials helps you avoid last-minute surprises and failed audits.

5. Plan for renewal. Remember: your certification is valid for 12 months. Start preparation 2–3 months before renewal so you have time to address any gaps discovered during assessment.

 

Conclusion: Cyber Essentials in 2026—What It Really Means

Cyber Essentials and Cyber Essentials Plus aren’t just government schemes or compliance checkboxes. They’re frameworks for the foundational security that separates resilient organisations from vulnerable ones.

The 2026 Danzell changes—mandatory MFA, stricter cloud service scoping, automatic failures for non-compliance—reflect a clear reality: the basics work. When organisations consistently apply these five controls, they eliminate the majority of successful attacks.

For your business, the question isn’t “Are we certified?” It’s “Are we secure?” Certification is the proof; security is the point.

If you’re ready to assess your current security posture against Cyber Essentials standards, or if you want expert guidance preparing for CE or CE+ certification, we’re here to help. A conversation with our team can clarify where you stand and what your next steps should be.

Ready to discuss your security assessment and Cyber Essentials certification path? Get in touch—we work with UK organisations of all sizes to build practical, resilient security.

---
#cyber-essentials #cybersecurity #services

FAQs

Cyber Essentials is a self-assessed certification based on your documented policies and processes. Cyber Essentials Plus adds an independent technical audit where an assessor actively tests your controls to verify they work in practice. CE+ requires CE as a prerequisite and provides significantly higher assurance—useful if you're tendering for government or corporate contracts.
Cyber Essentials typically costs £300–£600 + VAT for the assessment. Cyber Essentials Plus costs £1,500–£4,250+ + VAT depending on network complexity. The main cost driver for CE+ is assessor time for the hands-on technical audit. Both certifications are valid for 12 months and must be renewed annually.
Three major changes take effect from 27 April 2026: Mandatory MFA — Multi-Factor Authentication is now required for all cloud services where available (even if it costs extra). Missing MFA = automatic failure. Stricter cloud service scoping — All cloud services that store or process organisational data are now in scope. You can't exclude them anymore. Automatic failures — Non-compliance with MFA and patch management rules now results in automatic assessment failure, with no discretion for exceptions.
Yes. Under the 2026 Danzell standard, all cloud services that store or process organisational data are explicitly in scope. This includes Microsoft 365, Google Workspace, Salesforce, cloud storage, and collaboration tools. You must enable MFA and ensure these services comply with the five core controls.
No. You must hold a valid, current Cyber Essentials certification to be eligible for the CE+ technical audit. Think of CE as the prerequisite. Many organisations pursue CE first, then move to CE+ once they've established their baseline controls.
Your assessor will provide a detailed report of areas where you haven't met the standard. You'll have a remediation period (typically a few days to weeks) to fix the identified issues. You'll then be re-assessed, usually at no additional cost for the first re-test. Common failures are missing patches or MFA not properly configured—both are fixable.
Both Cyber Essentials and Cyber Essentials Plus certifications are valid for 12 months. You must renew annually to maintain your certified status. When you renew after 27 April 2026, you'll be assessed against the new Danzell standards (version 3.3).
Your existing certification remains valid for 12 months. However, when you come to renew after 27 April 2026, you'll be assessed against the new, stricter Danzell requirements. This means you may discover new gaps (especially around MFA and cloud service scoping) that weren't required under the previous standard.
Possibly. The NCSC has previously run funded programmes for small businesses in high-risk sectors (AI, quantum, semiconductors). The Scottish Government also funds SMEs pursuing certification. Check Innovate UK, the NCSC website, and regional business support organisations for current funding availability.
CE costs £300–£600 + VAT because it's a self-assessment review. CE+ costs £1,500–£4,250+ + VAT because it includes a full technical audit by an independent assessor. The assessor's time is the primary cost driver—the more complex your network, the longer the audit, the higher the cost. However, CE+ provides independent verification that your controls actually work, which is increasingly a requirement for business tenders and partnerships.
Attackers consistently exploit weak or missing authentication to gain access. By enforcing MFA across cloud services, the NCSC is removing one of the easiest attack vectors. Organisations with MFA see dramatically lower breach rates. This is why it's now non-negotiable.
Start with a complete inventory of your IT environment (devices, servers, cloud services). Then assess yourself against the five core controls: firewalls, secure configuration, user access control, malware protection, and patch management. Identify gaps, prioritise remediation, and fix issues before your formal assessment. For CE+, you'll also need to be ready for technical testing (vulnerability scans, patch verification, MFA testing).