News & Trends
The Cyber Essentials Plus 2026 explained framework represents the UK government's most rigorous voluntary cyber security standard for organisations handling sensitive data. For London SMBs, professional services firms, and financial advisers, understanding what's changed this year and what certification actually costs is essential for staying compliant with client expectations and government procurement requirements. This guide cuts through the jargon to show you exactly what you're committing to.
What's New in Cyber Essentials Plus for 2026
The 2026 refresh of Cyber Essentials Plus builds on the framework's existing five core controls but introduces sharper, more prescriptive requirements around emerging threat vectors. The National Cyber Security Centre (NCSC), which oversees the scheme, has tightened definitions around what "secure configuration" actually means in practice.
Key updates for this year include:
- Stricter password policies: Minimum 12-character passwords are now explicitly required, with multi-factor authentication (MFA) mandated for all administrative accounts—not just recommended.
- Enhanced vulnerability management: The timeframe for patching critical vulnerabilities has compressed from 90 days to 30 days for externally-facing systems.
- Expanded mobile device coverage: Previously a grey area, the scheme now explicitly requires mobile device management (MDM) policies for any device accessing organisational data, including smartphones and tablets.
- Third-party risk assessment: Organisations must now document and assess the cyber security posture of critical suppliers—a significant shift from passive oversight to active due diligence.
- Incident response playbooks: Written, tested incident response procedures are now mandatory, not optional, with evidence of at least one annual tabletop exercise required.
For professional services and financial advisory firms in London, these changes directly impact how you manage client data and interact with cloud providers. The third-party risk requirement, in particular, means scrutinising the cyber defences of your accountancy software vendors, practice management platforms, and document repositories with greater rigour than ever before.
The Five Core Controls Under the New Standard
Secure Configuration
This control now requires documented device configurations for every hardware type in your estate. Removable media must be disabled by default, admin credentials must follow the new 12-character minimum, and BIOS/firmware security features must be explicitly enabled. For many SMBs running mixed environments—some on-premises, some cloud—this demands a comprehensive inventory and asset register.
User Access Control
MFA is no longer negotiable. Every user account must have MFA enabled, with administrator accounts subject to additional verification measures. This includes remote access, email, and cloud application logins. The principle of least privilege now requires documented role-based access controls (RBAC), with quarterly audits of user permissions.
Malware Protection
Endpoint detection and response (EDR) solutions are now explicitly preferred over traditional antivirus. The scheme expects real-time threat monitoring, not just reactive scanning. For managed IT service providers supporting SMBs, this often means upgrading from basic antivirus to more sophisticated EDR platforms.
Patch Management
The 30-day critical patch window applies to all systems—servers, workstations, and network infrastructure. This requires automated patch management tools and a formal change control process. Zero-day vulnerabilities must be assessed within 72 hours.
Secure Backup and Recovery
Backups must be tested quarterly, stored offline (not just disconnected), and protected from ransomware. The scheme now explicitly requires that recovery testing exercises be documented and that recovery time objectives (RTOs) are defined for critical business functions.
Costs and Timelines for Certification
Assessment and Audit Fees
Cyber Essentials Plus requires a full technical assessment by an accredited assessor, unlike the basic Cyber Essentials scheme which relies on self-assessment. For a typical London SMB (50–100 employees), expect assessor fees between £2,000 and £5,000. Larger firms and those with complex infrastructure may see assessments exceed £7,000.
The assessment typically takes 3–5 working days on-site or remote, depending on your infrastructure complexity and documentation readiness. Many organisations underestimate the preparation time required before the assessor arrives; having your asset register, configuration documentation, and policies pre-compiled can save thousands in assessor hours.
Remediation and Implementation Costs
This is where most SMBs experience genuine cost. If your current infrastructure doesn't meet the 2026 standard, you may need to invest in:
- MFA deployment across all systems (typically £500–£2,000 depending on platform and user count)
- EDR tools replacing basic antivirus (£20–£50 per user annually, often £1,500–£3,500 for a small organisation)
- Patch management automation tools (£2,000–£5,000 annually)
- Offline backup solutions or upgrades (£3,000–£8,000 depending on data volumes)
- Mobile device management (£500–£2,000 annually)
- Documentation, policies, and procedures development (this varies widely; budget £5,000–£15,000 if using external consultants)
For a typical professional services firm in London currently running a basic cyber security setup, total implementation costs to reach Cyber Essentials Plus standard typically range from £12,000 to £25,000. Larger firms may exceed £40,000.
Ongoing Compliance Costs
Certification lasts three years, but maintaining compliance is continuous. Plan for annual surveillance audits (£800–£1,500) and factor in software licence renewals for EDR, MFA, and patch management platforms. Most organisations budget 0.5–1.0 FTE (full-time equivalent) of IT staff time per month for ongoing compliance management.
Many London SMBs find it cost-effective to partner with managed service providers who include Cyber Essentials Plus compliance as part of their service model. VantagePoint Networks, for example, helps professional services and financial advisory firms design compliance roadmaps that spread costs across multiple fiscal periods and align with existing technology refresh cycles.
Why 2026's Changes Matter to Your Business
The tighter standards reflect genuine threats. The 30-day patching requirement exists because most ransomware exploits known vulnerabilities within weeks of disclosure. The MFA mandate addresses the fact that credential compromise remains the leading attack vector. The third-party risk requirement acknowledges that supply chain attacks—like the 2023 MOVEit vulnerabilities—pose material business risk.
For London-based professional services firms, legal practices, and financial advisers, Cyber Essentials Plus certification has also become a competitive necessity. Large corporations and government bodies increasingly require it in their vendor contracts. If your clients are asking "Are you Cyber Essentials Plus accredited?"—and they are—certification isn't optional; it's a business requirement.
The good news is that the framework's prescriptive nature removes ambiguity. You're not guessing what "good" looks like; the NCSC tells you explicitly. The challenge is the honest assessment of where you are today relative to where the standard requires you to be, and the commitment to close that gap systematically.
From VantagePoint Networks
Run a Free 5-Minute Network Security Audit
VP Audit asks 15 questions across 5 security domains and scores your network 0–100 with specific findings. 100% in-browser — no data sent anywhere.
Audit your network →