Cyber Essentials for charities: how to budget at £299.99 + VAT

Cyber Essentials for charities: how to budget at £299.99 + VAT

UK charities face two Cyber Essentials questions that most other sectors do not:

1. Funders and grant-giving bodies (National Lottery, large trusts, corporate donors) increasingly require Cyber Essentials as a condition of grant-making.

2. Charity budgets are tight, and every pound spent on compliance is a pound not spent on mission delivery.

This guide is for the charity CEO, COO, or finance director trying to answer: "What is the cheapest legitimate path to Cyber Essentials?"

The answer is £299.99 + VAT at the Micro tier for charities under 10 staff, rising to £449.99 + VAT at Medium tier. Below the standard IASME fee. Below the "consultancy-plus-certification" packages that some providers push.

What charities are typically being asked for

Grant funders commonly list one of three asks:

• "Cyber Essentials certification." CE at the appropriate size tier is sufficient.
• "Cyber Essentials Plus certification." CE Plus - third-party verified - is the ask; starts at £1,499 + VAT for micro organisations.
• "A recognised cybersecurity standard." CE is the NCSC-backed standard and is almost always the simplest answer for a charity.

If the funder lists specific frameworks (ISO 27001, NIST CSF), the charity sometimes has a genuinely harder decision. For most UK charity funder asks in 2026, CE or CE Plus is the right answer.

Budgeting the Micro tier (under 10 staff)

The Fig Group Micro tier is £299.99 + VAT - £20.01 below the standard IASME certification body fee. For a 9-person charity that is £59.99 per staff member per year in gross cost, or £0.16 per day. Well within the range that even the smallest UK charities can absorb.

What is included:

• The full CE v3.3 self-assessment.
• Expert review by an IASME-licensed assessor.
• Three free re-submissions if the first submission fails.
• The official certificate and NCSC register listing.
• Dedicated support through the process.
• Free readiness checker before you begin.

What is not included (to be honest about the full total cost):

• Any remediation work. If your charity needs to buy Defender for Business, deploy MFA, or upgrade unsupported Windows devices, that is a separate cost.
• VAT. £299.99 becomes £359.99 inc VAT.

A well-prepared 9-person charity with modern laptops, M365 Business Premium, and MFA already enabled can certify with no additional technology spend. Charities running older kit need a remediation budget - typically £500–£2,000 for a small charity.

The funder discount question

The NCSC has historically funded free Cyber Essentials certifications for specific sectors (NHS small suppliers, legal aid, certain charities) through IASME-administered schemes. These come and go; check the NCSC website at the time of your application.

If a free certification is available, take it. It typically comes with a specific scope constraint (must be a micro organisation, must be in a named sector, must commit to remaining certified). Read the terms.

If no free scheme applies, Fig Group's £299.99 + VAT is the cheapest UK IASME-licensed rate for micro organisations as of 2026. That is a defensible baseline for a charity budget.

Scoping: volunteers and trustees

Charity CE scoping has two category-specific questions:

Volunteers. If a volunteer accesses charity systems (email, donor database, event management software), their device is in scope. In practice, most charities either:

• Issue volunteers charity laptops (clean scope).
• Restrict volunteer access to specific read-only or write-only SaaS tools that do not require a locally-installed client, and treat the volunteer personal device as accessing a narrow SaaS - similar to a customer-facing portal.
• Use a virtual desktop for volunteer access.

Trustees. Board papers are organisational data. Trustees' personal laptops and tablets that store or sync board papers are in scope. Common charity solutions:

• Use Diligent, BoardPad, or a similar board-paper app that prevents local storage.
• Issue charity-managed iPads to trustees.
• Require trustees to access board papers via a virtual desktop.

If you cannot get a clean sub-set exclusion for trustees' and volunteers' devices, the simplest answer is: limit what they can access, and scope only the devices that do access organisational data.

Required technical controls for a charity

Under v3.3 the five control categories apply the same way regardless of sector. For a typical small charity:

• Firewalls. Corporate M365 perimeter and any office Wi-Fi router. Change the default admin password.
• Secure configuration. Remove bloatware from laptops. Disable auto-run. Disable guest accounts.
• User access control. MFA on every user account (mandatory under v3.3). Use M365 Business Premium's built-in MFA.
• Malware protection. Windows Defender with tamper protection enabled is sufficient.
• Security update management. Apply critical and high-severity patches within 14 days of release. Remove unsupported Windows versions.

Two things commonly catch UK charities out:

1. Unsupported Windows devices. Windows 10 reached end-of-support in October 2025. Any laptop still running it without ESU fails. Replace or upgrade before submitting.

2. MFA not enforced on a small number of board or volunteer accounts. Under v3.3 it must be on every account that accesses organisational data. No exceptions.

The straight-line 6-hour path

1. Use the free readiness checker on the Fig site to identify gaps before you spend any money.

2. Fix the gaps. For a typical UK charity: enable MFA, enable Defender tamper protection, deprecate any Windows 10 devices, verify 14-day patching.

3. Submit your Cyber Essentials assessment on the Fig Micro tier at £299.99 + VAT.

4. For compliant submissions before midday, you are certified within 6 hours.

5. NCSC register updated within 24 hours. Send the certificate to your funder.

Total cash out: £299.99 + VAT for the assessment, plus any remediation spend. Total elapsed time with good preparation: a single business day.

Bottom line

A UK charity under 10 staff can certify to Cyber Essentials for £299.99 + VAT on the Fig Micro tier, with no mandatory consultancy, no hidden fees, and 6-hour turnaround. Scope volunteers and trustees explicitly, enforce MFA everywhere, retire unsupported Windows devices, and the certification passes first time.

Buy CE Micro for £299.99 + VAT | Read the charity sector guide | Use the readiness checker