Cyber Essentials for Charities: What Certification Requires and Why It Matters
The UK government requires Cyber Essentials certification from charities and other organisations receiving certain categories of government grant. NHS and local authority commissioning increasingly expects Cyber Essentials from third-sector service delivery organisations. And Cyber Essentials provides charities with the structured baseline of technical controls that the Charity Commission expects trustees to have in place. For most charities, Cyber Essentials is the right starting point for building a security programme.
Government grants involving personal data now require Cyber Essentials certification — and NHS commissioning increasingly expects it from third-sector health and care providers.
Applying the Five Cyber Essentials Controls in a Charity
The five Cyber Essentials controls apply to charities as they do to commercial organisations: Firewalls — boundary firewalls on the charity's internet connection with restrictive default-deny rules; Secure Configuration — removing default credentials on all devices, disabling unnecessary services, keeping software up to date; User Access Control — unique accounts for all staff and volunteers, least-privilege access, no shared admin accounts; Malware Protection — approved malware scanning on all in-scope devices including staff laptops and desktop computers; Patch Management — high-risk security patches applied within 14 days. The scope of a charity's Cyber Essentials assessment typically includes office computers, laptops, smartphones used for work, and any cloud services (Microsoft 365, Google Workspace, fundraising platforms) accessed from in-scope devices.
Cyber Essentials Costs and NCSC Support for Charities
Cyber Essentials has two tiers: Cyber Essentials (self-assessment questionnaire, typically £300–£500 for a small charity) and Cyber Essentials Plus (independent technical testing, typically £2,000–£5,000 depending on scope). The NCSC provides subsidised Cyber Essentials assessments through its academic partner programme for certain charities — worth investigating before purchasing at standard rates. Some certification bodies offer charity-rate discounts. The NCSC also provides free resources specifically for charities and non-profits, including the Small Charity Guide to Cybersecurity. Kyanite Blue helps charities achieve Cyber Essentials certification at affordable rates, including gap assessment and remediation support.
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.