If your charity handles donor details, beneficiary data or grant finances, cyber security is no longer an IT topic — it’s a trustee responsibility. The latest Cyber Security Breaches Survey 2025 found that 30% of UK charities (roughly 61,000 organisations) reported a breach or attack in the previous 12 months, with 86% of those identifying phishing as the most disruptive incident. Yet only 15% of charities are aware of Cyber Essentials — the government-backed scheme built to stop the most common cyber attacks. The cyber threat landscape keeps shifting, and funders are increasingly asking for proof you’ve done the basics. This step-by-step guide explains what the Cyber Essentials scheme is, what changes in April 2026, and how a small or medium-sized charity in Brighton, Sussex or anywhere in the UK can get certified without derailing the day job. It’s written for the charity sector — trustees, CEOs and operations leads doing the research before they commit.
Why Cyber Essentials matters for charities in 2026
Charities often handle sensitive data on small budgets, which makes them an attractive target. The 2025 survey pegs the average cost of the most disruptive breach for a charity at £3,240 — or £8,690 when zero-cost responses are stripped out. For small organisations with limited resources, that’s meaningful money diverted from frontline work, and the knock-on effects on data security, donor confidence and operations can last months. Trustees sit on the legal hook too: the Charity Commission for England and Wales makes clear that all trustees remain responsible for protecting the charity, even where operational cyber security is delegated.
Regulators are watching. Any data breach involving personal data can trigger a reprimand or fine from the Information Commissioner’s Office (ICO) under the General Data Protection Regulation. Cyber Essentials gives you a recognised, proportionate control set that demonstrates you’ve taken reasonable steps, and it’s also increasingly asked for by partners further up your supply chain.
What is Cyber Essentials?
Cyber Essentials is a UK government-backed scheme owned by the National Cyber Security Centre and delivered by IASME. It’s a cost effective cyber security certification aimed at organisations of all sizes, including charities, and it focuses on five cyber security controls that block the majority of common online security threats. The five Cyber Essentials controls are:
- Firewalls — a security filter between the internet and your network.
- Secure configuration — computers and cloud services set up to minimise attack surface.
- User access control — the right people with the right access, nothing more.
- Malware protection — defending endpoints and mailboxes against malicious software.
- Security update management — keeping software patched within 14 days for critical fixes.
You can sit the basic Cyber Essentials self-assessment (an assessor reviews your answers), or go further with Cyber Essentials Plus, where an assessor runs an independent technical audit against the same technical controls. NCSC figures suggest organisations that achieve Cyber Essentials certification are 80% less likely to need to claim on their cyber insurance than those without.
What’s changing in April 2026
From 27 April 2026, all new assessments move to Requirements v3.3 and a refreshed question set called Danzell (replacing Willow). The headline changes, confirmed by IASME:
- MFA becomes a hard requirement for cloud services wherever it’s available — missing MFA is an automatic fail.
- Cloud services cannot be excluded from scope. Microsoft 365, Google Workspace, fundraising platforms and CRM tools are all in.
- Update management is tightened: two new auto-fail questions verify that critical and high-severity patches are applied within 14 days.
- Scoping is clearer: organisations can request individual certificates per legal entity and must describe out-of-scope areas.
For most charities already running Microsoft 365 with MFA and a sensible patching routine, the update is evolution, not revolution.
Benefits of Cyber Essentials for charities
- Funding and contracts — an increasing number of grant funders, local authorities and central government contracts require Cyber Essentials. Certification opens new funding opportunities.
- UK GDPR alignment — the five controls map neatly to the “appropriate technical measures” the ICO expects.
- Free cyber liability insurance — charities under £20m turnover get up to £25,000 of cover and a 24/7 incident response line included with the certification.
- Donor and beneficiary trust — a public listing on the government’s Cyber Essentials directory is an honest proof point, and a clear signal of your commitment to cyber security.
Cyber Essentials vs Cyber Essentials Plus
The cost of basic Cyber Essentials certification (without any fixes/remediation) is typically around £570+vat – it’s priced on the size of your organisation, so it can vary. Cyber Essentials Plus certification adds an independent technical audit and typically starts from around £1,400 +VAT for a simple small charity. Many funders accept basic Cyber Essentials; if you bid for MoD or higher-risk contracts, aim for the Plus certification. IASME-accredited certification bodies handle the certification process end-to-end, so you don’t need in-house cyber security experts.
A step-by-step path to certification
- Scope the organisation — list every laptop, phone, server and cloud service that stores charity data, including volunteers’ devices used for work.
- Run a gap analysis against the Danzell question set. A short consultation with a cyber advisor usually takes a day or two.
- Fix the gaps — enforce MFA, tighten admin rights, turn on automatic updates, review firewall rules and enable cloud backups.
- Brief the team — only 21% of charities currently provide staff cyber training. A 30-minute phishing awareness session closes a huge amount of the risk.
- Submit the self-assessment via an accredited certification body. Most charities achieve certification within two to six weeks.
- Plan the renewal — Cyber Essentials is valid for 12 months, so bake the review into your annual governance cycle.
Common questions charities ask
Is Cyber Essentials free for charities? Not currently. The NCSC’s Funded Cyber Essentials Programme for small charities has closed, but Scottish charities can apply to SCVO for advisor time, Welsh charities can look at the Newid Cymru technology grants, and the UK-wide Cyber Local 2025–26 fund supports projects that encourage Cyber Essentials adoption.
Do we still need Cyber Essentials if we outsource IT to a managed provider? Yes. The certificate applies to your organisation, not theirs. Many charities lean on their IT partner to get the controls in place, then sit the assessment with confidence.
Does it cover volunteers’ personal devices? If a volunteer uses their own laptop or phone to access charity data, it’s in scope under v3.3. That’s why the Danzell question set hardens the expectations around bring-your-own-device working.
How Ingenio helps Brighton and Sussex charities
We work with small and medium-sized charities across Brighton and Sussex as a pragmatic partner, not a box-ticker. We run the gap analysis, handle the Microsoft 365 hardening, enable MFA without breaking volunteer logins, set up patching and backups, and walk the trustees through the evidence. When the scheme updates — as it does each April — we keep you on the current question set so the renewal is a formality.
Final thought
Cyber Essentials isn’t a silver bullet, but it’s the best starting point a charity has: proportionate, government-backed, funder-friendly, and inexpensive. Done well, it tightens your cyber security posture, strengthens everyday security measures like MFA and patching, and gives trustees real peace of mind. If you’re still in the research phase and want to talk it through — no hard sell — we’re happy to help you scope it out.
👉 Get in touch with the Ingenio team.
