Cyber Essentials for Charities: A Practical Guide for UK Nonprofit Organisations

Cyber Essentials for Charities: A Practical Guide for UK Nonprofit Organisations

Charities are increasingly being asked for Cyber Essentials by grant funders, local authority commissioners, and institutional donors. The trigger is usually a grant application that lists CE as a prerequisite or a commissioner's due diligence pack that asks whether the organisation holds current certification. What used to be a nice-to-have is becoming a funding gate.

This guide covers what certification actually entails for a UK charity, how the technical controls map to the kind of IT most nonprofits run, and the practical routes through certification for organisations on a tight budget.

Why charities are being asked for Cyber Essentials

Three overlapping pressures have pushed Cyber Essentials into charity due diligence:

The Charity Commission's cybersecurity guidance (updated in 2024 and 2026) recommends CE as a baseline control for charities handling personal data — which is nearly all of them. The guidance is not legally binding but it shapes trustee expectations and is referenced by insurers.

Grant funders increasingly require it. The National Lottery Community Fund, Comic Relief, and several local authority commissioning frameworks now list Cyber Essentials as a requirement for grants above certain thresholds. Others request evidence of "cybersecurity assurance" and accept CE as meeting that bar.

Institutional donors and corporate partners. Larger donors conducting due diligence on their grantees routinely ask for CE as part of supplier assurance. It is not universal but it is common enough that most charities applying for five- or six-figure grants should expect the question.

Insurance. Cyber insurance premiums for charities handling beneficiary data are increasingly conditional on CE. Some insurers will not quote without it.

What Cyber Essentials actually asks of a charity

The five control areas apply to charities the same way they apply to any other organisation. What differs is the typical infrastructure. Most UK charities run a setup that looks like:

That setup maps cleanly onto the five CE control areas, but with some charity-specific wrinkles.

The five controls, charity-specific

Firewalls and internet gateways. For a small charity with no office, the firewall requirement is met by the software firewall on each laptop. You do not need to buy hardware firewalls. For a charity with a small office, the office router or firewall needs to meet the usual boundary requirements (admin access not exposed, default passwords changed, firmware current). Most charities use whatever router the ISP provided; check it is not running firmware from three years ago.

Secure configuration. This is where charities most often have quiet gaps. Volunteers have been given email accounts but those accounts still exist two years after the volunteer stopped helping. Former trustees still have access to the CRM. A donor database has shared login credentials because "everyone needs access". The baseline ask is that accounts are provisioned and deprovisioned properly, default credentials are changed, and users operate without local admin rights on their devices.

Security update management. Laptops need patching within 14 days of critical updates. The most common issue: a charity has Windows Update on but has not thought about the Chrome and Zoom installed on every machine. These need a patching approach too.

User access control. Under v3.3, every user account on every cloud service needs multi-factor authentication. For charities this often means the CRM, the fundraising platform, the finance system, and the email platform. This is the single biggest area charities need to tighten — MFA on the main email platform is usually done but MFA on the sector-specific tools is often not.

Malware protection. Windows Defender on every Windows laptop, active and updating. Mac built-in protections active. Coverage across every device, including the laptop the part-time fundraising officer uses one day a week.

How volunteers fit into the scope

Volunteers are the area where charity scoping questions differ most from commercial organisations. The rule is the same — devices that access organisational data are in scope — but the practice is harder.

Volunteers using organisation-issued devices. Treat them as any other user. Managed laptop, MFA on their cloud accounts, standard user permissions, software firewall active.

Volunteers using personal devices for work email. Same as any BYOD situation. Either bring those devices into MDM coverage (which most volunteers will not agree to), restrict access so only managed devices can connect, or document the exception and accept the scope gap.

Volunteers with occasional access to the CRM or donor database. MFA enforced on their accounts. Time-limited access where possible. Prompt account disablement when the volunteer period ends.

What many charities do in practice is restrict "deep" system access (CRM, finance, donor database) to paid staff on managed devices, while giving volunteers more limited access (perhaps via a restricted view in the same system) from their personal devices. This narrows the scope without restricting participation.

What about trustees?

Trustees who use personal devices to review board papers and read trustee-only communications are accessing organisational data. Technically, those devices are in scope.

The realistic positions:

Option 1: Provide trustees with organisation-issued devices. Most charities cannot afford this.

Option 2: Restrict trustee content to managed devices or a managed portal. Board papers delivered through a platform that requires trustees to log in with MFA, rather than emailed as attachments to personal email. This is increasingly common.

Option 3: Scope exclusion. Document trustees as out of scope provided they only access board papers through a separate, tightly-scoped portal that does not share identity or network with the rest of the charity's systems. This is possible but narrow.

Many charities end up with Option 2 because it is the most practical. A dedicated trustee portal (iBabs, BoardPacks, Diligent, or a properly configured SharePoint site) with MFA moves trustees' access into a manageable scope without requiring device management.

Cost considerations for charities

Cyber Essentials costs the same for a charity as it does for any other organisation — from £299.99 + VAT for the micro tier (1-9 employees, which most small charities fall into). Some certification bodies offer discounted rates for registered charities; it is worth asking.

The more important cost question is what changes you need to make to pass. The typical remediation work for a small charity before their first CE submission includes:

For a charity with one or two members of staff, the remediation cost is typically £100-300. For a charity with 5-15 staff, it is £500-1,500 one-off plus ongoing licensing.

Tools with charity discounts worth knowing about

Several vendors offer meaningful charity discounts through Charity Digital Exchange, TechSoup, or direct programmes:

A small charity running on Microsoft 365 Business Premium (which is free for qualifying organisations) has nearly everything it needs to pass Cyber Essentials included in the licence.

The common charity scoping mistake

The single most frequent scoping issue I see in charity submissions is conflating paid staff, volunteers, and trustees into one undifferentiated group. The scheme is flexible enough to handle all three, but each needs explicit attention in the scope declaration. "All users of organisational systems" is not a scope. "Paid staff using managed laptops and organisation-provided cloud accounts; volunteers using personal devices restricted to the limited-access volunteer portal; trustees accessing board papers through the separately-managed board portal" is a scope.

Writing that distinction clearly in the questionnaire makes the submission easier to assess and less likely to trigger follow-up questions.

Practical path to certification for a small charity

If you are a charity with fewer than ten paid staff, the fastest route to CE is:

1. Choose a primary cloud platform. Microsoft 365 or Google Workspace. Not both.

2. Upgrade to a licence tier that includes MFA, MDM, and device management. M365 Business Premium or Google Workspace Business Plus. Both are charity-discounted.

3. Enrol all laptops in MDM. Apply a baseline security policy (Intune baselines are ready-made for this).

4. Enforce MFA across all users on all in-scope services. Not just the main email; also the CRM, finance system, and fundraising platform.

5. Document the scope. Paid staff, volunteers, trustees, with how each is handled.

6. Run Fig Group's free readiness checker. Identify remaining gaps before paying for the assessment.

7. Submit. The assessment is £299.99 + VAT and usually completes within 6 hours for a compliant submission.

Bottom line

Cyber Essentials is accessible for charities. The controls are reasonable, the costs are manageable (often zero beyond the assessment fee for charities already on a modern cloud platform), and the certification opens access to funding that is increasingly conditional on evidence of basic cybersecurity practice. The charities that struggle are the ones that leave everything until a grant application asks for it. The charities that get it right treat it as a standing operational posture rather than a one-off compliance task.

Check your readiness | View pricing | Talk to an assessor