Cyber Essentials has become a widely recognised baseline for UK organisations looking to reduce cyber risk and satisfy customer or procurement expectations, with over 55,000 organisations holding the accreditation.
Increasingly, the conversation at board-level is turning from “Should we do Cyber Essentials?” to “Is Cyber Essentials enough?”
Cyber Essentials Plus (CE+) is growing in popularity for this reason. Building on the same five technical control areas as Cyber Essentials (CE) but adds independent technical verification.
In practice, that difference – tested vs declared – is the key reason many organisations are stepping up to CE+.
Importantly, there’s evidence that the “cyber basics” are worth doing. Government-published information and independent evaluations point to meaningful reductions in common risks and downstream benefits (including insurance outcomes).
For many organisations, CE+ is simply the most credible way to prove those basics are actually in place. But that’s not the only reason.
Below we explore the reasons why organisations are choosing CE+ over CE, supported with the most relevant data available.
Independent Verification: Moving Beyond “Marking Your Own Homework”
The most fundamental difference is that Cyber Essentials is a verified self-assessment, while Cyber Essentials Plus adds independent testing and sampling of an organisation’s systems to confirm the controls are implemented.
That shift matters because cyber security failures frequently come from small gaps between what organisations believe is configured and what actually exists across devices, users, and cloud services.
CE+ addresses this by introducing assessor-led checks – giving leadership, customers, and insurers higher confidence that controls aren’t just written down, but operational.
This focus on proof is increasingly aligned to how government and industry describe CE’s purpose: it’s about a practical baseline of controls that reduce exposure to common threats.
Proof is valuable in other ways: As environments become more complex (hybrid work, cloud services, unmanaged endpoints), organisations want certainty. CE+ provides a clearer “yes/no” answer than any self-assessment can.
Greater Credibility With Customers, Partners, And Boards
In many sectors, CE is now considered the minimum expected standard: useful, but no longer differentiating.
Government guidance explicitly notes that Cyber Essentials is increasingly used by organisations (including major institutions) to strengthen supply chain security expectations.
Where CE can still be perceived as “paper compliance,” CE+ is easier to defend internally and externally because it includes technical validation. That’s particularly attractive for organisations with boards, clients, or regulators asking for evidence rather than assurances.
There’s also a measurable adoption signal here: government management information shows that in the most recent annual view (Jan–Dec 2025), 13,707 certificates were awarded at CE+ level out of 55,995 total certificates – roughly one quarter choosing the independently tested route.
While this is encouraging it means that those holding CE+ are still in an elite
Procurement Pressure: CE Is The Baseline; CE+ Wins Points
Cyber Essentials has long been linked to eligibility for certain government contracts, particularly where suppliers handle personal or sensitive data. Government guidance states that holding an up-to-date Cyber Essentials certificate enables bidding for relevant government work.
But procurement doesn’t stand still. As Cyber Essentials becomes more common, buyers increasingly differentiate between suppliers who have a baseline certificate and those who can demonstrate additional assurance.
Even where CE+ isn’t mandatory, it can reduce friction in supplier due diligence (especially when security questionnaires or audits are involved).
We can see this dynamic reflected in adoption and motivation commentary from market research and scheme discussions: contract and customer requirements are repeatedly cited as a key driver for certification decisions (even among SMEs), with awareness and supply-chain demands shaping behaviour.
In a nutshell: If a procurement team wants shortcuts to confidence, CE+ gives it to them more than CE.
Stronger Protection Against Common Threats Because It Validates The Basics
CE and CE+ share the same “five controls” foundation, designed to reduce exposure to the most common internet-based attacks. The impact evaluation and associated commentary around the scheme highlight the effectiveness of these controls in reducing common vulnerabilities when properly implemented.
One of the most quoted findings tied to the scheme’s underlying control approach is that the CE’s technical controls mitigate a very high proportion of internet-originating vulnerabilities when correctly applied.
And this connects directly to why CE+ is attractive: the controls may be strong, but organisations want to know they are consistently enforced; not partially implemented or unevenly applied. CE+ seeks to prove that.
In security, intent doesn’t stop attacks. Implementation does. CE+ is about verifying implementation.
Insurance: A clearer risk signal to underwriters
Cyber insurance has been a boom sector in recent years. And thanks to some high-profile incidents and claims, underwriting has tightened in recent years.
One of the most compelling statistics published in government Cyber Essentials materials is that organisations with Cyber Essentials controls are 92% less likely to make a claim on their cyber insurance. https://www.gov.uk/government/statistical-data-sets/cyber-essentials-management-information
Even if we treat that as a scheme-level association (rather than a guarantee for any one firm), it’s a powerful signal: insurers care about these baseline controls.
In parallel, industry commentary aimed at SMEs notes that insurers increasingly ask about Cyber Essentials in renewal processes, reflecting the growing role of demonstrable controls in pricing and eligibility discussions.
So if CE reduces threats, CE+ can strengthen insurers’ confidence that the controls are really there. Where CE might be acceptable as a baseline response, CE+ can function as stronger evidence – particularly for businesses with higher risk profiles, customer data exposure, or supply chain obligations.
Improved Internal Accountability And Governance
One of Cyber Essentials’ less obvious benefits is organisational: it creates structure, prompts policy decisions, and clarifies ownership for security basics.
The scheme’s impact evaluation discusses how certification can influence security behaviours and perceptions, and associated analysis highlights high levels of reported confidence and improvements in cyber risk understanding among users.
For example, analysis of the impact/process work around Cyber Essentials reports high proportions of users indicating improved confidence and understanding of cyber risks following certification.
CE+ amplifies this effect because it forces organisations to operationalise policies in a way that stands up to scrutiny: device configurations, patching, access controls, and malware protections must be demonstrably applied.
That often drives better separation of admin accounts, tighter MFA discipline, clearer asset inventories, and stronger endpoint management – because the assessment will test them.
The Threat Landscape Is Escalating: “Baseline + Proof” Is The Rational Response
Finally, the macro context matters.
Organisations are stepping up security assurance because the environment is worsening. Reporting and commentary on national cyber trends highlights increases in serious incidents and sustained threat pressure, reinforcing why boards and buyers are asking tougher questions.
When the cost of disruption rises—and when ransomware, phishing, and supply-chain compromise are constant topics in leadership discussions—organisations naturally gravitate toward security measures that are both practical and verifiable.
Cyber Essentials positions itself as protection against common threats by focusing on baseline cyber hygiene.
CE+ is the version of that story that’s easiest to defend: “We didn’t just say we do the basics. We proved it.”
Summary: When Cyber Essentials Plus Is (Usually) The Right Choice
CE+ tends to make most sense when an organisation:
- Needs to prove controls for procurement, supply chain, or regulated customers.
- Wants stronger support in insurance conversations (or wants to de-risk renewal).
- Has complex environments (remote endpoints, cloud identity, mixed estates) where self-attestation is risky.
CE remains a valuable and often appropriate starting point.
But the reasons above explain why CE+ is increasingly viewed as the better commercial and risk decision: it turns baseline hygiene into validated assurance.
Akita has accredited assessors for both Cyber Essentials and Cyber Essentials Plus. To discuss which accreditation is right for your organisation, please get in touch:
Contact Us
