Key Takeaways
- Cyber Essentials is a verified self-assessment; Cyber Essentials Plus adds an independent technical audit of your actual systems
- Both levels cover the same five controls, the difference is the extent to which those controls are verified
- From 27 April 2026, new v3.3 (Danzell) rules are live, MFA and patching are now automatic fail points on both levels.
- Pera Prometheus is an approved certifying body for both CE and CE+, so you can complete the whole process with one, trusted partner.
Most UK businesses that ask about Cyber Essentials already know they need it. What is not always clear is which level is needed. The answer is invariably driven by contractual expectation but it can also depend on who you’re supplying. This guide explains what separates the two levels, what each involves, and which one may apply to your business.
What Both Levels Have in Common: The Five Controls
Both Cyber Essentials and Cyber Essentials Plus assess the same five technical controls. Think of them as the minimum security standards the UK government expects from any business handling data or delivering services to others.
The five controls are:
- firewalls (blocking unauthorised access to your network);
- secure configuration (removing software and accounts that create unnecessary risk);
- user access control (limiting who can access what);
- malware protection (defending against ransomware and data theft); and
- patch management (applying critical updates within 14 days of release).
The NCSC estimates these five controls stop around 80% of common cyber attacks.
Both levels certify that these controls are in place. What separates them is what happens during the verification.
Cyber Essentials: What the Self-Assessment Involves
Cyber Essentials is a verified self-assessment. Your organisation works through a structured question set, covering each of the five controls. A board-level director signs the declaration and an approved certifying body reviews and validates your answers.
The certifying body checks for inconsistencies and gaps but it is not a physical test of your actual systems. You are describing what you have in place, and the certifying body is confirming the picture, you provide to them, is coherent. Certification costs start from £320 + VAT and the certificate is valid for 12 months. CE is the right starting point for most businesses. But if your contract or client specifies Plus, a self-assessment alone will not suffice.
Cyber Essentials Plus: What the Technical Audit Adds
CE+ starts where CE ends. If you require CE+, you have 3 months to complete the CE+ assessment from the date of achieving CE. If CE+ is not complete within this timeframe, you must go through the CE process again before applying for CE+.
Once you hold a valid CE certificate an assessor runs a hands-on technical audit of your actual systems. The audit tests a representative sample of your user devices, scans all externally facing IP addresses, verifies that patches are genuinely applied within the 14-day window, and checks MFA configurations across your cloud services. You cannot talk your way through it. The controls either pass the test or they do not. If devices fail on the initial test, you have 30 days to remediate before re-testing. Certification costs start from £1550 + VAT depending on the size of your organisation.
So the question is which level does your business actually need?
Which Level Applies to Your Business?
The answer sits with who you are supplying.
MOD and defence supply chain — CE is required under CSMv4 for all risk profile levels. CE+ is required for Cyber profile levels of 2 and 3, in addition to CE.
Our guide to information and cybersecurity certifications explains where CE+ fits within the broader compliance landscape.
Central government contracts — CE is the standard minimum under Procurement Policy Note 014. CE+ is increasingly specified for contracts handling sensitive personal data or classified information.
NHS and healthcare suppliers — CE is the baseline under PPN 014 and it applies to NHS bodies too. CE+ is strongly recommended and increasingly mandated for contracts involving patient data.
Legal Aid suppliers — CE has been mandatory since October 2025 for all Standard Crime Contract holders. CE+ is advisable for firms handling sensitive client data at scale.
Enterprise and commercial supply chains — CE is sufficient for most. CE+ becomes relevant when your clients are large, regulated organisations like banks, insurers, or prime contractors who are pushing security requirements through their supply chains.
Charities — CE is available through a subsidised scheme, making it one of the most accessible routes to certification.
Whatever your sector, the 2026 changes to Cyber Essentials affect both levels and are worth understanding before you book an assessment.
What the New v3.3 Requirements Mean for Both Levels
From 27 April 2026, all new Cyber Essentials assessments run on the updated Danzell question set. Two changes catch businesses off guard.
First, MFA is now mandatory for every cloud service where it is available whether free, included in your licence, or offered as a paid add-on. Not having it enabled is an automatic fail. Second, two new patching questions (A6.4 and A6.5) are automatic fail points: if you cannot show that critical and high-risk updates are applied within 14 days of release, certification is refused regardless of how well everything else scores. The board-level signatory now also formally commits to maintaining compliance throughout the full certification period not just on the day of assessment. Our post on what is changing in Cyber Essentials in April 2026 covers every Danzell change in full.
Ready to Take the Next Step?
Working out which level applies to you is straightforward, preparing your systems to pass first time is where most businesses need support. At Pera Prometheus, we are an approved certifying body for both Cyber Essentials and Cyber Essentials Plus, and we guide organisations through the full process under one roof. Our CE and CE+ specialist, Amy Osborne can support you on your journey from start to finish. Get in touch and let’s work out exactly what you need.
Frequently Asked Questions
Q: Can I go straight to Cyber Essentials Plus without doing Cyber Essentials first?
A: You can complete both together, but CE+ requires a valid CE self-assessment as its foundation and you cannot bypass it. CE+ must be completed within 3 months of achieving CE.
Q: How long does the CE certification process take?
A: The timeframe to achieve certification is largely in the organisations hands, the only stipulation is that you must pass CE within 6 months of being granted access to the CE questionnaire portal. Some SME’s will go from first submission to certification within a week whereas others take a little longer. If you are new to the process then it is advisable to have some support during your certification journey to ensure your organisation is in the best position to meet the CE controls.
When moving onto to CE+, organisations must be mindful that this will take around 4 – 6 weeks to achieve depending on how quickly remediations are carried out.
Q: What happens if I fail the Cyber Essentials Plus audit?
A: You have 30 days to fix the issues and re-test. If serious inconsistencies are found, your underlying CE certificate can also be revoked.
Q: Do I need to renew every year?
A: Yes. Both CE and CE+ certificates last 12 months and must be renewed annually.
Q: My business uses cloud services, does that change what I need to do?
A: Yes. Under v3.3, MFA is mandatory on every cloud service that offers it; not having it enabled is an automatic fail on both CE and CE+. Our Cyber Essentials FAQs post covers the cloud requirements in detail.
Stay Safe, Stay Secure
