DCC vs Cyber Essentials Plus: How the Two Schemes Relate and When You Need Each

Cyber Essentials (CE) and Cyber Essentials Plus (CE Plus) are both UK government-backed cybersecurity certifications administered by IASME. DCC is the MOD's supply chain certification scheme, also administered by IASME. Suppliers often ask whether they duplicate each other, whether CE Plus replaces DCC, or whether a DCC certificate removes the need to hold CE at all. The short answer: the two schemes stack. DCC is built on top of CE or CE Plus, depending on your required DCC level, and you hold both certificates - not one or the other.

This guide walks through the relationship, the differences, and the decision framework for which certificate combination a given MOD supplier needs.

The basic mapping

• DCC Level 0 requires a current Cyber Essentials certificate. CE is the technical baseline; L0 layers defence-specific governance and supply chain evidence on top.
• DCC Level 1 requires a current Cyber Essentials certificate. L1 layers consultant-led evidence, technology platform gap analysis, and interviews on top of the CE baseline.
• DCC Level 2 requires a current Cyber Essentials Plus certificate. L2 adds substantial ISMS evidence and on-site or remote verification to the CE Plus baseline.
• DCC Level 3 also requires Cyber Essentials Plus. L3 adds multi-tier supply chain assurance and deeper technical verification.

So the answer to "do I need CE or CE Plus?" is determined by the DCC level your contract requires, which in turn is determined by the Cyber Risk Profile of that contract.

What CE and CE Plus actually test

Cyber Essentials (CE) is primarily documentary. The supplier answers a structured self-assessment questionnaire covering the five technical controls - firewalls, secure configuration, security update management, user access control, malware protection. An IASME-licensed assessor reviews the answers, asks clarification questions, and issues the certificate when satisfied. Assessment is typically same-week for prepared organisations.

Cyber Essentials Plus (CE Plus) is CE plus hands-on technical testing. An assessor runs an independent vulnerability scan against the in-scope boundary, spot-checks MFA configuration, tests malware protection by attempting to execute sample payloads, and verifies the controls claimed in the self-assessment match reality. CE Plus is a substantially bigger engagement - typically 1-3 days of assessor time at the supplier's premises or remotely.

The material difference: CE is an attestation with independent review. CE Plus is an attestation with independent review and independent technical verification.

What DCC adds on top

DCC is not a repeat of CE/CE Plus. It adds defence-specific requirements:

• Governance evidence that goes beyond the CE questionnaire - Information Security Policy, Incident Response Plan, supply chain risk management, staff vetting.
• CSM v4 attestation - the MOD's Cyber Security Model v4 (December 2025) adds defence-specific overlays on top of the CE technical baseline.
• Supply chain flow-down requirements - how the supplier assures its own suppliers handle MOD data.
• IASME DCC register listing - a public register of certified defence suppliers at each level.
• Three-year certificate validity with annual attestation.

DCC does not re-test the five technical controls; it trusts the CE (or CE Plus) assessor's finding on those and builds defence-specific assurance on top. This is why both certificates are required - the DCC certificate is evidence of scheme compliance for MOD procurement, and the underlying CE/CE Plus certificate is evidence of technical hygiene.

The pricing implication

CE and CE Plus have materially different price points. A typical UK market:

• CE (standard): £300 - £600 + VAT, depending on the Certification Body and organisation size.
• CE Plus: £1,500 - £5,000 + VAT, depending on Certification Body and scope.

So a supplier bidding for L1 contracts faces: CE (~£400) + DCC L1 (Fig: £9,999 - £49,999 by size). A supplier bidding for L2 contracts faces: CE Plus (~£2,500) + DCC L2 (typically £30,000+).

When comparing quotes from Certification Bodies, confirm whether CE or CE Plus is bundled in the DCC fee or quoted separately. At Fig, CE and CE Plus are priced separately from DCC, though we can bundle on request.

Timing: sequence or parallel?

Some suppliers try to run CE (or CE Plus) and DCC in parallel to save time. This rarely works. DCC assessors require a current CE or CE Plus certificate before issuing the DCC certificate - the CE baseline must be in hand before the DCC submission is complete. You can prepare DCC governance evidence in parallel with CE, but you cannot certify DCC before CE.

The cleaner sequence:

1. Confirm the required DCC level from the contract CRP.
2. If L0 or L1, obtain CE first. If L2 or L3, obtain CE Plus first.
3. Use the CE or CE Plus engagement to stand up the technical evidence baseline (patch reports, firewall configs, MFA evidence, AV coverage).
4. Begin DCC governance preparation in parallel with the CE/CE Plus assessment.
5. Submit DCC evidence once CE/CE Plus is issued.

For prepared suppliers running this sequence, L0 DCC can issue within 2-3 weeks of CE. L1 DCC is a 6-10 week engagement following CE.

See the DCC timeline guide for realistic timelines across both levels.

When CE Plus is worth doing even if you only need L0 or L1

Some suppliers hold CE Plus even though their current contract only requires CE. Common reasons:

• Pipeline considerations. A supplier bidding for a mix of CRP Very Low and Moderate contracts will eventually need CE Plus for the Moderate pipeline. Holding it pre-emptively avoids scrambling.
• Commercial positioning. CE Plus is a stronger commercial signal than standard CE for non-MOD buyers who are increasingly asking suppliers about cybersecurity certifications.
• Insurance. Some cyber insurance policies offer preferential terms for CE Plus holders.

For most L0-only and L1-only suppliers, however, standard CE is the correct choice. There is no DCC benefit to holding CE Plus if the contract CRP only requires L0 or L1.

Renewal cadence

CE certificates are valid for 12 months. CE Plus certificates are also valid for 12 months. DCC certificates are valid for three years with an annual attestation. Operationally, this means:

• CE or CE Plus must be renewed annually.
• The DCC annual attestation typically coincides with CE/CE Plus renewal, so the two reviews run together.
• Every three years, the full DCC assessment is repeated.

This cadence is important for procurement. A DCC certificate issued in April 2026 is valid until April 2029, provided the annual attestations are completed each year. If the underlying CE or CE Plus lapses, the DCC certificate is effectively suspended until CE/CE Plus is restored.

The practical decision

If your contract CRP is Very Low or Low, you need standard CE plus DCC L0 or L1. If it is Moderate or High, you need CE Plus plus DCC L2 or L3. Fig is an IASME-licensed Defence Cyber Certification Body and an IASME-licensed CE and CE Plus Certification Body - we can deliver the full CE → DCC L0/L1 path as a single engagement. For L2 or L3 we refer suppliers to Certification Bodies accredited at those higher levels.

Talk to a DCC assessor → | See DCC pricing →