Defence Cyber Certification Pricing in 2026: What L0 and L1 Actually Cost, and Why

Defence Cyber Certification pricing is considerably more variable than Cyber Essentials pricing. A Cyber Essentials certificate from one IASME-licensed body costs within £50 of the same certificate from another body. A DCC L1 certificate can vary by £10,000 or more between providers, for reasons that are not always obvious until you read the quotes carefully.

This guide walks through what L0 and L1 DCC actually cost in the UK market as of 2026, what is included at each price point, and what the pricing gaps between Certification Bodies actually represent.

Level 0 pricing: reasonably standardised

DCC Level 0 pricing across the UK market is relatively consistent because the assessment itself is relatively constrained. L0 is a documentation-led review against a defined set of requirements, conducted primarily through the IASME portal, with a single assessor reviewing the submission. The economics are similar to Cyber Essentials - the labour component is contained, the audit work is structured, and there is limited scope for one body to take materially more effort than another.

Fig Group L0 pricing:

Market context: L0 pricing across the UK's DCC Certification Bodies generally ranges from £800 + VAT for micro organisations up to £7,000 + VAT for large organisations. Fig's pricing sits at the competitive end of the range, with transparency - no consultancy add-ons priced separately and no per-submission fees. The Cyber Essentials prerequisite is priced separately and is not bundled into the L0 engagement fee.

What L0 pricing includes:

• DCC L0 assessment against the current version of the Cyber Security Model (CSM v4, December 2025)
• Review of governance documentation, supply chain risk management, incident response evidence, and technical controls
• Up to three free rounds of assessor feedback
• Certificate issuance and registration on the IASME DCC register
• Three-year certificate validity with annual attestation pathway

The Cyber Essentials prerequisite is not bundled into the L0 engagement fee. A valid CE certificate must be held separately before L0 can begin; Fig can certify CE under our Cyber Essentials pricing where required.

What L0 pricing should NOT include surprise charges for:

• Assessor clarification rounds - these should be covered by the base fee
• Certificate delivery or badge generation
• Re-submission following minor feedback

Level 1 pricing: genuine complexity, genuine variability

DCC Level 1 is where pricing becomes materially variable, for a simple reason: L1 is not a documentation review. It is a consultative engagement that includes evidence preparation, gap analysis, remediation support, formal assessment, and (at Fig) technology platform gap analysis. The difference between a £10,000 L1 quote and a £30,000 L1 quote is usually the difference between "we will audit you" and "we will work with you".

Fig Group L1 pricing (includes dedicated consultant + technology platform access):

Every Fig L1 engagement includes a dedicated consultant who works with the client throughout the process, plus access to Fig's technology platform that automatically surfaces gaps in cyber defences (unpatched systems, misconfigured cloud resources, excessive privilege, exposed credentials, and other issues) so they can be remediated before formal assessment rather than becoming findings.

Why the range within each tier: L1 engagements vary in scope complexity. Factors that push a quote toward the upper end of the range:

• Multiple physical sites requiring assessment
• Extensive cloud infrastructure (multi-region, multi-tenant, complex IAM)
• Complex subcontractor chain requiring flow-down assurance
• Legacy systems that require special scoping or compensating controls
• High number of in-scope personnel requiring vetting documentation
• Additional regulatory overlays (DSPT for healthcare-adjacent work, ISO 27001 alignment, etc.)

Factors that keep a quote toward the lower end:

• Single site or fully remote
• Modern cloud-native infrastructure
• Minimal subcontractor chain
• Clean, well-documented existing posture (often from prior Cyber Essentials Plus or ISO 27001 work)

Market context: L1 pricing across the UK's DCC Certification Bodies ranges from roughly £8,000 + VAT for a minimal-scope micro engagement with audit-only support, up to £60,000+ + VAT for a complex large-organisation engagement with full consultancy support. Fig's pricing sits in the middle of that range, with the consultancy and technology platform bundled in rather than sold as add-ons.

What L1 pricing should include (and does at Fig):

• Full DCC L1 assessment against CSM v4
• Dedicated consultant for the engagement duration
• Technology platform gap analysis
• Evidence preparation support
• Up to three rounds of remediation feedback
• Certificate issuance, IASME register listing, three-year validity
• Annual attestation support

What L1 pricing should NOT include as hidden add-ons:

• Pre-engagement "readiness assessment" at a separate fee
• Per-interview charges during the assessor phase
• Additional fees for multi-site coverage within the agreed scope
• Separate charges for the initial CSM v4 gap review

How to read a DCC quote

When comparing quotes across Certification Bodies, the questions that matter:

1. Is Cyber Essentials included? L0 and L1 both require a valid CE certificate. If the CB charges for CE separately, add that to the base quote.

1. Is there a dedicated consultant, or does the CB only provide an assessor? A pure-audit engagement is cheaper but places more remediation burden on the supplier. A consultant-supported engagement is more expensive but materially reduces the risk of findings.

1. Is there technology platform support? Some CBs offer automated gap analysis to identify technical issues before assessment. This is a meaningful differentiator - issues found by a platform can be fixed quietly; issues found by an assessor become formal findings on the certification record.

1. Are remediation rounds included, or priced separately? L1 engagements frequently need clarification or remediation. A quote that includes three rounds is substantively different from one that charges per round.

1. What is the assessor-to-client ratio? CBs running high throughput per assessor will respond faster than CBs running lean. Ask about average turnaround from submission to certificate.

1. What happens at annual attestation? DCC is valid for three years with annual check-ins. The annual attestation is included in some pricing models and charged separately in others. Clarify before signing.

The honest bottom line on pricing

L0 DCC is a commoditised product. Pick the CB that offers the best combination of price, turnaround, and service quality. The price gap between providers is not large.

L1 DCC is not a commoditised product. The £10,000 difference between two quotes typically represents a fundamentally different service model - audit-only versus consultant-led, with or without technology platform support, with or without remediation cycles included. Choose based on the model that matches your needs, not on the headline number alone.

For suppliers new to the MOD supply chain, L1 consultant-led engagement with platform support is usually the right choice. The upfront cost is higher but the probability of a clean first-pass certification is materially higher. For suppliers with deep existing maturity from prior ISO 27001 or NCSC CAF work, an audit-only engagement may be sufficient and faster.

Fig's L1 pricing bundles consultant-led engagement and technology platform access into the base fee rather than charging them as add-ons, because most defence suppliers coming to DCC for the first time need both to succeed. Audit-only pricing is available on request for suppliers with genuine existing maturity who only need the formal assessment.

L1 pricing is presented as ranges (e.g., £9,999.99 – £14,999.99 for micro organisations) because the final price depends on the complexity of your scope. The variance within each tier is driven by scope size and complexity, starting maturity, technology platform findings, and subcontractor assurance needs. The consultant works with you upfront to scope the engagement accurately, providing a firm quote based on your specific situation. This transparency ensures no surprises - the price reflects the work needed, not arbitrary markups.

Primary sources

• IASME Consortium — Defence Cyber Certification — the DCC scheme administrator, including the list of licensed Certification Bodies you can request quotes from.
• NCSC — Cyber Essentials pricing — Cyber Essentials is priced separately and is a prerequisite for DCC L0 and L1.
• GOV.UK — Cyber security for defence suppliers — the Cyber Risk Profile classification that determines your required DCC level.

Get an L1 quote → | See full pricing →