Cyber Essentials for UK financial services firms Certified by Fig.
Fig Group certifies UK financial services firms - FCA and PRA regulated entities, fintechs, wealth managers, payments, insurance. IASME-licensed, from £299.99 + VAT, typically within 6 working hours. Tailored to FCA operational resilience, DORA, and the SJP Partner Practice context.
Sector-specific
Tailored to financial services firms
The standard scheme guidance does not address the operational reality of this sector. These are the scope, regulatory, and supplier-cascade points Fig assessors check first.
- 01FCA operational resilience (PS21/3) expectations.
- 02DORA (Digital Operational Resilience Act) alignment for EU-facing firms.
- 03SJP Partner Practice CE/CE Plus mandates since May 2024.
- 04Payments data handling alongside PCI DSS scoping.
- 05Client money / client asset data protection.
- 06Outsourced-provider oversight - you will require CE of your vendors too.
Pricing at a glance
Below the standard IASME fee at every tier
No re-submission charges. Three free re-submissions included. Published pricing - no gated forms or consultancy add-ons.
Turnaround
6 hours
For compliant submissions before midday.
Cyber Essentials
£299.99 – £549.99
+ VAT, by organisation size.
Cyber Essentials Plus
£1,499 – £4,499
+ VAT, third-party verified.
Common questions
Frequently asked questions
Is Cyber Essentials required by the FCA?
Not directly, but the FCA's operational-resilience expectations and the broader SYSC handbook effectively require a baseline cyber posture. CE/CE Plus is widely accepted as meeting that bar, and insurers treat it as material for PI and cyber premium pricing.
Does SJP require Cyber Essentials for Partner Practices?
Yes - SJP mandated CE Plus across its 2,800+ Partner Practice network in May 2024. See /blog/cyber-essentials-for-sjp-partners for the SJP-specific scope.
Does Cyber Essentials satisfy DORA?
DORA is a broader regime than CE. CE satisfies parts of DORA's ICT risk management and supply chain expectations but is not a substitute for the full regulation. Most UK firms serving EU counterparties treat CE as foundational and layer DORA-specific controls on top.
What CE scope should a fintech SaaS use?
Corporate estate only (laptops, M365/Google Workspace, corporate SSO, home routers via VPN). Production fintech infrastructure is separately assessed under ISO 27001, SOC 2 Type II, or the equivalent. Split scopes deliberately.
What tier do most fintechs use?
Depends on UK headcount. A typical 40-person fintech falls into CE Small (10–49) at £399.99 + VAT, or CE Plus Small at £1,999 + VAT for insurer / enterprise-client use.
Deep-dive articles
Long-form guidance for financial services firms
Technical guidance written by an IASME-licensed assessor - scope edge cases, supplier cascade, and regulatory overlap that the scheme guidance does not cover.
Next step
Ready to certify?
From £299.99 + VAT. IASME-licensed. Typically within 6 working hours. No consultancy add-ons.