Compliance

DCC Level 2 and Level 3: What Higher-Tier Defence Cyber Certification Actually Involves

By Jay Hopkins · Published 31 March 2026 · Updated 21 April 2026 · 11 min read

Fig platform incident management view illustrating the security operations capability DCC Level 2 and Level 3 suppliers are expected to demonstrate

Most published guidance on Defence Cyber Certification focuses on L0 and L1 because those two levels cover the majority of MOD suppliers. But L2 and L3 exist, apply to a substantial minority of suppliers, and look quite different operationally - different baseline (CE Plus rather than CE), different Certification Body options (a smaller accredited pool), different timeline (months rather than weeks), and different price point (six figures rather than four or five).

This article covers what L2 and L3 actually involve. Fig Group is an IASME-licensed Defence Cyber Certification Body; we refer suppliers who need L2/L3 to other certification bodies where appropriate. So this guide is written without commercial incentive - it is what I tell suppliers who ask "should I be aiming for L2 or L3?" and "who do I talk to?".

For context on the broader scheme, see the DCC explainer and DCC levels guide.

Who actually needs L2 or L3

L2 applies to Moderate CRP contracts. In MOD terms, that generally means:

  • Contracts where the supplier handles operationally significant MOD data (financial, operational, personnel).
  • Suppliers with systems connected to MOD operational networks (not just email and documents, but actual platform integration).
  • Suppliers in mid-value prime contracts across technology, engineering, and systems integration.

L3 applies to High CRP contracts. That generally means:

  • Suppliers handling classified information (OFFICIAL SENSITIVE and above).
  • Suppliers delivering critical operational capabilities (platforms, weapons, C4ISR).
  • Suppliers with deep integration into MOD networks, including persistent connectivity.
  • Major defence primes on flagship programmes.

The buyer specifies the CRP in the contract or tender. Suppliers cannot strategically opt for L2 or L3 to appear more credible - the CRP is set by the work's sensitivity, not by the supplier's preference.

Technical baseline: CE Plus, not CE

The single biggest technical difference between L0/L1 and L2/L3 is the underlying Cyber Essentials baseline. L0 and L1 require Cyber Essentials (CE) - a primarily documentary assessment with limited technical testing. L2 and L3 require Cyber Essentials Plus (CE Plus) - hands-on technical testing by an assessor who probes the controls, runs scans, and verifies that what is declared matches what is configured.

CE Plus materially raises the bar. A supplier who passed CE comfortably may still struggle with CE Plus if their declared controls are not consistently applied across the estate. Organisations aiming for L2 typically invest in CE Plus 3 to 6 months ahead of L2 engagement to give themselves time to remediate any CE Plus findings.

What L2 adds on top of L1

L2 includes everything in L1 and adds:

  • Formal ISMS with demonstrable operational maturity. Not just documentation; evidence of ISMS operation over at least 12 months, including management reviews, internal audits, corrective action closures.
  • Privileged Access Management programme. Dedicated PAM tooling (CyberArk, BeyondTrust, or equivalent) or a documented and evidenced manual process for just-in-time privileged access.
  • Continuous vulnerability monitoring. Regular internal and external scanning with tracked remediation SLAs by severity.
  • Documented security operations capability. SOC (in-house or outsourced) or equivalent monitoring capability with documented runbooks.
  • Tested incident response. Annual tabletop exercise plus at least one live simulation per certificate period.
  • Multi-tier supply chain assurance. Active verification of supplier security posture beyond tier one.
  • Staff vetting to higher standards. BPSS as baseline; SC where contracts require it.

What L3 adds on top of L2

L3 includes everything in L2 and adds:

  • Active threat intelligence capability. Either subscribed or in-house, with evidence of intelligence driving defensive action.
  • 24/7 monitoring where the contract's operational profile requires it.
  • Defence-specific incident scenarios. Tabletop and simulation exercises using scenarios aligned to the contract's operational context.
  • On-site verification. The assessor conducts site visits for certain controls; this is not optional at L3.
  • Supply chain active verification, not attestation. Tier-two and tier-three suppliers must demonstrate active security posture, not just sign supplier questionnaires.
  • Staff vetting at SC or DV. Where the work genuinely requires it; assessor verifies currency.

Who delivers L2 and L3 in the UK

As of April 2026, the main IASME-licensed Certification Bodies accredited to deliver DCC at L2 and L3 include:

  • NCC Group - the largest accredited body; deep defence sector experience; enterprise engagement model.
  • Bridewell - a core partner in the DCC scheme's development; strong consultancy alongside assessment.
  • C3IA - long-standing defence specialism; deep expertise at the higher tiers.
  • Indelible Data - boutique body with defence sector specialism.

Smaller or newer bodies that are L0/L1-only (including Fig Group) cannot deliver L2 or L3. The accreditation is level-specific and earning it is a multi-year process.

For a broader comparison including L0/L1 bodies, see the DCC certification body comparison.

Timeline expectations

L2 and L3 are measured in months, not weeks:

LevelTypical end-to-end timelineAssessor effort
L23 – 6 months10 – 20 assessor days
L34 – 9 months20 – 40 assessor days, including on-site

These timelines assume the supplier is starting from a strong L1 or ISO 27001 baseline. A supplier attempting L2 from an ad-hoc governance starting point should expect 6 to 12 months before being assessment-ready. L3 from a low baseline is effectively a 12-to-18-month programme.

Price expectations

L2 and L3 pricing is bespoke, driven by scope complexity, site count, and the depth of operational maturity evidence required. Rough 2026 market ranges:

  • L2 engagements: £40,000 – £120,000 + VAT for most organisations, with large defence primes at the upper end.
  • L3 engagements: £80,000 – £250,000+ + VAT depending on scale and complexity.

Within these ranges, the variance is driven by scope (single site vs multi-site vs international), maturity (existing ISO 27001 materially reduces effort), and technical estate (cloud-native simpler than on-prem legacy).

When to certify at L2 rather than stay at L1

Three signals that a supplier should aim for L2:

  1. Pipeline. Three or more Moderate CRP opportunities in the 12-month pipeline.
  2. Existing maturity. You hold ISO 27001, have a functioning SOC (in-house or MSSP), and operate at or near the L2 evidence standard already.
  3. Buyer strategic conversation. A prime contractor has signalled they want their tier-one subcontractor base at L2 specifically.

Absent these signals, staying at L1 is usually the right commercial choice. L2 is a substantial step up and does not pay for itself on a single contract win.

When to certify at L3

L3 is rarely an opt-in. It is driven by specific high-CRP contracts where the buyer mandates it. Suppliers certifying at L3 usually do so because a specific programme requires it, and the certification economics work only within that contract context.

The exception is major defence primes for whom L3 is strategic infrastructure - it positions them for the full spectrum of MOD work including classified programmes. For those primes, L3 is an ongoing capability rather than a project.

The practical path to L2 or L3

For most suppliers, the path looks like this:

  1. L0 first to establish governance and the CE baseline. 14–21 days.
  2. L1 next to build ISMS and subcontractor assurance. 6–10 weeks, 3–6 months after L0.
  3. CE Plus as the technical upgrade ahead of L2. 4–8 weeks alongside L1 operations.
  4. L2 engagement 6–12 months after L1, with existing ISO 27001 evidence if you have it.
  5. L3 engagement only if pipeline warrants the additional investment, typically 12+ months after L2.

Skipping steps is possible but introduces risk. A supplier attempting L2 cold (no L0, no L1, no ISO 27001) will struggle.

For L0 or L1 preparation with Fig, see the DCC pricing guide. For L2 or L3, engage NCC Group, Bridewell, or C3IA directly.

Talk to a DCC assessor (L0/L1) → | View L0/L1 pricing →

Article FAQ

Frequently asked questions

Key questions from MOD suppliers researching this topic.

Who needs DCC L2 or L3?

L2 applies to contracts with a Moderate Cyber Risk Profile (sensitive MOD data, operational MOD network connectivity). L3 applies to High CRP contracts (classified information, critical operational capabilities). The buyer specifies the required level in the procurement documentation.

What is the main difference between L1 and L2?

L2 requires Cyber Essentials Plus (not CE basic), a formal ISMS with demonstrable operational maturity, privileged access management, continuous vulnerability monitoring, documented security operations capability, and multi-tier supply chain assurance. L1 has a lighter version of most of these.

Can any DCC Certification Body deliver L2 or L3?

No. Accreditation is level-specific. Some bodies hold only L0/L1 accreditation; others are accredited at all four levels. For L2/L3 in the UK, NCC Group, Bridewell, and C3IA are the main options.

How long does L2 or L3 certification take?

L2 typically runs 3 to 6 months end-to-end. L3 typically runs 4 to 9 months. Both require substantial preparation work before engaging the assessor.

Should a supplier go direct to L2 or build via L0 and L1 first?

For suppliers without prior ISO 27001 or CE Plus maturity, building via L0 and L1 is usually the more sustainable path. For suppliers with existing mature ISMS and CE Plus, going direct to L2 can be appropriate if the pipeline warrants the investment.

Related DCC articles

Keep reading.

Technical Guides

DCC Levels Explained: How L0, L1, L2, and L3 Map to Contract Risk, and Which One You Actually Need

DCC has four levels: L0, L1, L2, and L3. Each maps to a Cyber Risk Profile tier set by the MOD for a given contract. This guide explains the differences between the levels in detail, how to determine which one your contract requires, the practical differences in assessment effort, and why most suppliers new to the scheme start at L0 or L1.

Read the article
Industry

DCC vs Cyber Essentials Plus: How the Two Schemes Relate and When You Need Each

Cyber Essentials Plus is a prerequisite for DCC Level 2 and Level 3. At Level 0 and Level 1, standard Cyber Essentials is enough. This guide explains how the two schemes relate, which one you need, and how they stack together for suppliers working with the UK MOD.

Read the article
Compliance

Defence CISO Mandates DCC Level 0 for All MOD Suppliers by 31 December 2026

On the Defence Cyber Certification scheme's first birthday, the UK Defence CISO Eleanor Fairford has asked all MOD suppliers to achieve DCC Level 0 certification by 31 December 2026. This guide explains what the mandate covers, where it sits in the wider government supply chain Cyber Essentials programme, and the practical timeline suppliers now need to work to.

Read the article
More DCC guidance

Next steps.

All DCC articlesDCC pricingTalk to a DCC assessor