Based on Fig Group’s own customer mix and public NCSC scheme commentary.
The state of UK Cyber Essentials certification in 2026.
An independent data-driven review of the UK Cyber Essentials market - certification body landscape, pricing, turnaround times, sector adoption, and regional concentration - compiled by Fig Group, an IASME-licensed certification body.
~290
IASME-licensed UK certification bodies
Source: IASME directory, April 2026
£300–£800+
Published Micro-tier price range (+ VAT)
Source: Fig audit of 50 CB published prices
6h–15d
Observed submission-to-certificate turnaround
Source: Fig review of 50 CB published SLAs
~40,000
Estimated active UK CE + CE Plus certificates
Source: NCSC public scheme figures + Fig estimate
01 · Market structure
The Cyber Essentials scheme at scale.
Cyber Essentials, administered by IASME on behalf of the NCSC, has grown from a 2014 launch to the de-facto baseline for UK SME cybersecurity. As of April 2026, approximately 290 organisations hold an IASME licence to assess and certify under the scheme - a number verifiable on the public IASME directory.
- Scheme operator
- IASME Consortium, under licence from NCSC.
- Versions in force
- v3.3from 28 April 2026.v3.2until transition cutoff.
- Certification body count
- ~290up from ~250 in 2024, per historic IASME disclosures.
- Active certificates (estimate)
- ~40,000CE and CE Plus combined, based on NCSC cumulative issuance figures less estimated expiry.
- Geographical scope
- UK-incorporated organisations of any size. No formal sector restrictions.
02 · Pricing distribution
Certification body prices vary 2–3x for the same certificate.
Every IASME-licensed body issues the same government-backed certificate, yet published prices range widely. Fig Group's April 2026 audit of the top 50 UK certification bodies by visible search presence sampled published Micro-tier pricing and bundled extras.
| Tier | Staff | Observed low | Observed high | Typical range |
|---|---|---|---|---|
| Micro | 1–9 | £299.99 + VAT | £800+ + VAT | £400–£550 + VAT |
| Small | 10–49 | £399.99 + VAT | £1,200+ + VAT | £500–£750 + VAT |
| Medium | 50–249 | £449.99 + VAT | £1,800+ + VAT | £700–£1,200 + VAT |
| Large | 250+ | £549.99 + VAT | £3,000+ + VAT | £1,000–£1,800 + VAT |
| CE Plus (Micro) | 1–9 | £1,499 + VAT | £3,500+ + VAT | £1,800–£2,500 + VAT |
Figures sourced from public certification-body websites as of April 2026. Low-end figures are Fig Group's own published prices. High-end figures reflect consultancy-led or MSSP-bundled offerings.
Key finding: a Micro-tier Cyber Essentials certificate can cost anywhere from £299.99 to £800+ depending solely on the certification body chosen. The underlying certificate is identical in format, validity, and regulatory standing.
03 · Turnaround times
The spread is hours to weeks.
Certification speed - the time between submission of a complete self-assessment and issuance of the certificate - is where certification bodies differ most visibly. Fig's audit categorised published SLAs across the sampled 50 bodies.
| Published SLA band | Share of sampled CBs | Representative examples |
|---|---|---|
| Under 24 hours (same-day / next-day) | ~4% | Fig Group (6 working hours); a handful of platform-first bodies |
| 1–3 working days | ~18% | Platform-led certification bodies with continuous review workflows |
| 4–7 working days | ~35% | Mid-sized consultancy bodies with weekly review cadence |
| 8–15 working days | ~30% | Consultancy-led or MSSP-bundled bodies |
| Not published | ~13% | Quote-based; turnaround disclosed only on enquiry |
Bands derived from Fig Group's April 2026 review of public certification-body marketing. "Published SLA" means the body states an explicit turnaround guarantee on their website or product page.
Key finding: the majority of UK Cyber Essentials submissions take between 4 and 15 working days. Fewer than one in five certification bodies publishes a turnaround faster than three working days. Only ~4% guarantee same-day or next-day certification for compliant submissions.
04 · Regional concentration
Certification is administrative - geography rarely matters.
Cyber Essentials assessments are carried out online through a self-assessment questionnaire, with CE Plus adding a remote or on-site vulnerability test. The certification body's physical location is rarely relevant to delivery. Despite this, UK certification bodies are disproportionately concentrated in London and the South East.
| UK region | Approx. share of CBs | Notes |
|---|---|---|
| London & South East | ~35% | Highest concentration, driven by consultancy cluster |
| South West | ~12% | Bristol / Gloucester / Cheltenham cyber corridor |
| North West | ~10% | Manchester / Liverpool / Preston SME cluster |
| Yorkshire & Humber | ~8% | Leeds / Sheffield regional hubs |
| West Midlands | ~8% | Birmingham / Coventry manufacturing SME base |
| East of England | ~8% | Cambridge tech cluster + Ipswich / Norwich MSSP base |
| East Midlands | ~6% | Nottingham / Leicester consultancy practices |
| Scotland | ~6% | Edinburgh / Glasgow / Aberdeen regional CB presence |
| Wales | ~3% | Cardiff-centric |
| North East | ~2% | Newcastle / Sunderland |
| Northern Ireland | ~2% | Belfast-based |
Approximate shares derived from the IASME public directory. CB operating geography is not explicitly tagged in the directory; figures reflect the registered office / primary trading address observed on each body's website.
Buyer note: Fig Group actively recommends UK organisations choose their certification body on price, speed, and bundled extras rather than on regional proximity. Geography does not affect the certificate.
05 · CE vs CE Plus split
Roughly one in six organisations progresses to CE Plus.
Cyber Essentials Plus adds a hands-on vulnerability test performed by the certification body, typically conducted within 90 days of the CE self-assessment. Plus is required by a growing number of regulated and public-sector buyers (notably MOD, NHS, and parts of central government), but remains a minority option across the wider scheme.
Typical multiplier on the CE price at the same organisation tier.
Why buyers move from CE to Plus
- MOD Defence Cyber Certification pathway
- NHS Data Security and Protection Toolkit alignment
- Insurance underwriting requirements
- Enterprise supplier onboarding (financial services, legal, gov tech)
Supply-chain cascading
Stricter SME adoption driven by procurement teams increasingly requesting Cyber Essentials Plus from tier-2 and tier-3 suppliers, particularly on regulated work.
06 · Trends to watch
What's changing in 2026.
v3.3 assessment question set
Active from 28 April 2026. Stricter 12-character password minimum, phishing-resistant MFA for administrators, explicit firmware patching, clearer cloud-service scoping. Our audit of 14 Fig customer submissions against v3.3 indicates ~80% of existing-scheme organisations need minor changes, ~15% need moderate remediation, ~5% need substantive work.
Read the v3.3 plain-English guide →MSP-driven demand
Managed service providers increasingly act as the procurement channel for Cyber Essentials on behalf of SME clients. Fig Group estimates MSP-originated certifications now account for 30–40% of new Micro-tier issuances, up from <20% in 2024. Certification bodies offering white-label or multi-tenant programmes are disproportionately capturing this segment.
Read: MSP CaaS playbook →Embedded cyber liability cover
IASME’s scheme-level cyber-liability partnership ships £25,000 of cover with every valid Cyber Essentials certificate held by a UK organisation under £20m turnover where the assessment scope is the whole organisation. This is a scheme benefit available through every IASME-approved certification body - not a per-CB commercial bundle. Fig Group’s customer research indicates ~60% of Micro-tier buyers now cite the embedded cover as a meaningful factor in their decision to certify rather than between certification bodies.
Consolidation pressure
The long tail of low-volume certification bodies faces squeeze between platform-led entrants at the low price end and large MSSP-bundled bodies at the high end. Fig Group expects the ~290 licensed CBs to consolidate toward ~250 by 2027 as smaller consultancy-led bodies exit the scheme or merge. This tracks comparable consolidation seen in adjacent standards like ISO 27001.
Same-day certification
The number of UK certification bodies publishing sub-24-hour SLAs remains small (~4%) but demand is growing, driven by tender-deadline pressure and insurance-renewal timing. We expect same-day SLAs to become a material competitive axis by 2027.
Read: which bodies deliver same-day →AI-assisted readiness
Pre-assessment readiness checkers powered by LLMs (used by Fig Group and a handful of peers) materially reduce first-submission failure rates - internal Fig data shows a drop from ~22% industry-baseline retest rate to below 5% for submissions that complete a readiness check first.
Read: AI-powered compliance →07 · Methodology
How this report was compiled.
The figures in this report draw on three data sources, each with stated limits. Readers and journalists citing the report should preserve this context rather than extracting point estimates without framing.
Source 01Canonical register
IASME public directory
The canonical list of licensed certification bodies. All counts of certification bodies in this report are derived from the directory as observed in April 2026. The directory does not expose structured metadata on price, turnaround, or sector; those require per-body website review.
iasme.co.uk →Source 02Primary research · n = 50
Fig Group published-price audit
Fig Group reviewed the public marketing of the 50 UK certification bodies with the highest organic search presence for “Cyber Essentials” in April 2026. Where published prices were available they were recorded verbatim. Bodies that do not publish prices are counted separately as quote-based rather than imputed. Pricing bands reflect only the subset of CBs that publish prices.
Source 03Secondary · NCSC
NCSC public scheme commentary
NCSC has historically disclosed cumulative Cyber Essentials issuance in annual reviews and ministerial communications. The ~40,000 “active certificates” estimate in this report is derived from NCSC’s cumulative issuance figures less estimated annual expiry, not from an authoritative live register.
What this report is not
This is not an authoritative scheme-wide census. Where precise point estimates would have misrepresented data confidence, we have deliberately used ranges and shares. Specific certification-body performance or pricing should be verified directly with the body concerned.
Conflicts of interest
Fig Group is itself a UK IASME-licensed certification body and competes in the market described in this report. Where Fig Group’s own figures feature - for example as the observed low-end of the Micro-tier pricing range - this is disclosed in the footnote for that table.
IASME licence 325cdf33-3812-4082-bf8d-7dce7ac02977
08 · Cite this report
Using these figures in your own publication?
This report is published under a Creative Commons Attribution 4.0 licence. You may reproduce figures and findings with attribution. Please link back to the canonical report URL below so readers can check our methodology.
Harvard (author-date)
Hopkins, J. (2026) UK Cyber Essentials Market Report 2026. Fig Group. Available at: https://www.figgroup.co.uk/reports/uk-cyber-essentials-market-2026 (Accessed: [date]).
News / editorial
According to the UK Cyber Essentials Market Report 2026 published by Fig Group, [finding]. Source: https://www.figgroup.co.uk/reports/uk-cyber-essentials-market-2026
Plain link
https://www.figgroup.co.uk/reports/uk-cyber-essentials-market-2026
Work with the report’s publisher
Get Cyber Essentials certified with Fig Group.
Fig Group is an IASME-licensed certification body publishing its pricing and turnaround transparently. Cyber Essentials from £299.99 + VAT, certified within 6 working hours on compliant Micro-tier submissions. The IASME-arranged £25,000 cyber liability cover ships with every valid certificate (UK orgs < £20m turnover, whole-organisation scope).