News & Trends
The Cyber Essentials Plus 2026 explained framework represents the UK government's most rigorous voluntary cyber security standard for organisations handling sensitive data. For London SMBs, professional services firms, and financial advisers, understanding what's changed this year and what certification actually costs is essential for staying compliant with client expectations and government procurement requirements. This guide cuts through the jargon to show you exactly what you're committing to.
The 2026 refresh of Cyber Essentials Plus builds on the framework's existing five core controls but introduces sharper, more prescriptive requirements around emerging threat vectors. The National Cyber Security Centre (NCSC), which oversees the scheme, has tightened definitions around what "secure configuration" actually means in practice.
Key updates for this year include:
For professional services and financial advisory firms in London, these changes directly impact how you manage client data and interact with cloud providers. The third-party risk requirement, in particular, means scrutinising the cyber defences of your accountancy software vendors, practice management platforms, and document repositories with greater rigour than ever before.
This control now requires documented device configurations for every hardware type in your estate. Removable media must be disabled by default, admin credentials must follow the new 12-character minimum, and BIOS/firmware security features must be explicitly enabled. For many SMBs running mixed environments—some on-premises, some cloud—this demands a comprehensive inventory and asset register.
MFA is no longer negotiable. Every user account must have MFA enabled, with administrator accounts subject to additional verification measures. This includes remote access, email, and cloud application logins. The principle of least privilege now requires documented role-based access controls (RBAC), with quarterly audits of user permissions.
Endpoint detection and response (EDR) solutions are now explicitly preferred over traditional antivirus. The scheme expects real-time threat monitoring, not just reactive scanning. For managed IT service providers supporting SMBs, this often means upgrading from basic antivirus to more sophisticated EDR platforms.
The 30-day critical patch window applies to all systems—servers, workstations, and network infrastructure. This requires automated patch management tools and a formal change control process. Zero-day vulnerabilities must be assessed within 72 hours.
Backups must be tested quarterly, stored offline (not just disconnected), and protected from ransomware. The scheme now explicitly requires that recovery testing exercises be documented and that recovery time objectives (RTOs) are defined for critical business functions.
Cyber Essentials Plus requires a full technical assessment by an accredited assessor, unlike the basic Cyber Essentials scheme which relies on self-assessment. For a typical London SMB (50–100 employees), expect assessor fees between £2,000 and £5,000. Larger firms and those with complex infrastructure may see assessments exceed £7,000.
The assessment typically takes 3–5 working days on-site or remote, depending on your infrastructure complexity and documentation readiness. Many organisations underestimate the preparation time required before the assessor arrives; having your asset register, configuration documentation, and policies pre-compiled can save thousands in assessor hours.
This is where most SMBs experience genuine cost. If your current infrastructure doesn't meet the 2026 standard, you may need to invest in:
For a typical professional services firm in London currently running a basic cyber security setup, total implementation costs to reach Cyber Essentials Plus standard typically range from £12,000 to £25,000. Larger firms may exceed £40,000.
Certification lasts three years, but maintaining compliance is continuous. Plan for annual surveillance audits (£800–£1,500) and factor in software licence renewals for EDR, MFA, and patch management platforms. Most organisations budget 0.5–1.0 FTE (full-time equivalent) of IT staff time per month for ongoing compliance management.
Many London SMBs find it cost-effective to partner with managed service providers who include Cyber Essentials Plus compliance as part of their service model. VantagePoint Networks, for example, helps professional services and financial advisory firms design compliance roadmaps that spread costs across multiple fiscal periods and align with existing technology refresh cycles.
The tighter standards reflect genuine threats. The 30-day patching requirement exists because most ransomware exploits known vulnerabilities within weeks of disclosure. The MFA mandate addresses the fact that credential compromise remains the leading attack vector. The third-party risk requirement acknowledges that supply chain attacks—like the 2023 MOVEit vulnerabilities—pose material business risk.
For London-based professional services firms, legal practices, and financial advisers, Cyber Essentials Plus certification has also become a competitive necessity. Large corporations and government bodies increasingly require it in their vendor contracts. If your clients are asking "Are you Cyber Essentials Plus accredited?"—and they are—certification isn't optional; it's a business requirement.
The good news is that the framework's prescriptive nature removes ambiguity. You're not guessing what "good" looks like; the NCSC tells you explicitly. The challenge is the honest assessment of where you are today relative to where the standard requires you to be, and the commitment to close that gap systematically.
VP Audit asks 15 questions across 5 security domains and scores your network 0–100 with specific findings. 100% in-browser — no data sent anywhere.
Audit your network →