Who needs Cyber Essentials Plus?
Cyber Essentials Plus is needed by UK organisations bidding for MOD sub-contracts, most central government contracts above specified thresholds, many NHS and healthcare supplier frameworks, and enterprise B2B contracts where the buyer's DDQ specifies hands-on-tested certification.
Who needs Cyber Essentials Plus?
Cyber Essentials Plus is needed by UK organisations bidding for MOD sub-contracts, most central government contracts above specified thresholds, many NHS and healthcare supplier frameworks, and enterprise B2B work where the buyer's due-diligence questionnaire specifies hands-on-tested certification. For most SMEs, standard Cyber Essentials is sufficient.
Cyber Essentials Plus is typically required for:
MOD and defence sub-contracting
Tier-1 MOD suppliers cascade Plus (and often the new Defence Cyber Certification) into their own supply chain. If you service BAE Systems, Babcock, QinetiQ, Leonardo, MBDA, Thales UK, Raytheon UK, or General Dynamics UK, expect Plus as a baseline.
UK central government contracts above threshold
The Government Commercial Function references Cyber Essentials across most IT-touching procurement. Contracts above certain thresholds - typically £5m annual value for IT-adjacent work, lower for higher-risk data - reference Plus rather than standard CE.
NHS and healthcare supplier frameworks
NHS England's Data Security and Protection Toolkit (DSPT) references CE for smaller suppliers and Plus for suppliers with larger data-access footprints. Integrated care systems and hospital trusts increasingly ask for Plus at vendor onboarding.
Financial services regulated supply chain
FCA and PRA-regulated firms' supplier-onboarding questionnaires often ask for Plus on IT-access vendors. Large UK asset managers and insurance carriers have standardised on Plus for their outsourced IT supply chain.
SJP partner practices
St. James's Place Partner practices require CE Plus for ongoing partnership.
Enterprise B2B SaaS supplier onboarding
Many UK enterprise buyers specify Plus in vendor DDQs, particularly where the supplier has access to production data or authenticated customer systems.
Where standard Cyber Essentials is sufficient
- Most B2B SME work without specific procurement mandates
- Most UK legal practice PI-insurance baselines
- General client-onboarding signals for most professional services
- Cyber-insurance baseline for SMEs with standard cyber-liability needs
- Most charity / nonprofit funder requirements
Cost and timeline
- Standard Cyber Essentials: from £299.99 + VAT (Micro), 6-hour turnaround
- Cyber Essentials Plus: from £1,499 + VAT (Micro), 1–3 weeks end to end depending on scan scheduling
Because Plus requires a valid standard CE certificate as a prerequisite, both are typically completed in a single engagement. See Can I get Cyber Essentials Plus without Cyber Essentials?.
Bottom line
You need Cyber Essentials Plus if your tender documents, supplier-onboarding form, regulatory counterparty, or insurance broker says so. For most UK SMEs without that specific pressure, standard CE is the right bar. The full pricing page shows both levels side by side.
Start Cyber Essentials from £299.99 + VAT | All pricing tiers | Cyber Essentials vs Cyber Essentials Plus
About the author
Jay Hopkins
Managing Director, Fig Group
Jay Hopkins is the Managing Director of Fig Group and an IASME-licensed Cyber Essentials assessor. He was previously Head of Technology for a global regulated firm. He works with UK organisations across regulated sectors on baseline compliance, supply-chain assurance, and AI-augmented security tooling.
Next step
Want to see how Fig handles this?
Discover how Fig helps organisations prepare for security assessments and maintain ongoing compliance.
Request a demo