Cyber Essentials Plus for UK Charities: Trustee Accountability, Funder Requirements, and the Practical Path on a Tight Budget

‍​​‌‌‌‌‌‌​​​‌‌​​​‌‌​​‌​​​​​‌​​‌‌​‌‌​​​​‌​‌‌​‌‌​​‌​‌​​​​​‌‌‌​​​‌‌‌‍UK charities face Cyber Essentials Plus from three directions. The Charity Commission's governance framework places responsibility on trustees for safeguarding charity assets, including the donor data and beneficiary data the charity holds digitally. Funders and grant-makers increasingly ask about cyber security controls in funding applications, often naming Cyber Essentials by name. UK GDPR places confidentiality and security obligations on the charity as the data controller for donor and beneficiary information.

What follows is what each direction actually expects, what the cost and timeline reality looks like for a charity on a tight IT budget, and how a charity with a small or part-time IT function clears the assessment.

What the Charity Commission expects

The Charity Commission does not name Cyber Essentials. The Commission's guidance places the responsibility for safeguarding charity assets on trustees. That responsibility extends to digital assets and to the personal data the charity holds about donors, beneficiaries, volunteers, and staff.

CC3, the Commission's guidance on the essential trustee, sets out the trustee duty to act in the charity's best interests, manage the charity's resources responsibly, and act with reasonable care and skill. Where the charity holds personal data on donors and beneficiaries, that duty extends to the cyber controls protecting that data. A breach of donor data caused by inadequate controls is a breach the trustees are accountable for under the broader governance framework.

The Commission's serious-incident reporting regime requires trustees to report significant cyber incidents to the regulator. That requirement is downstream of the trustee duty to maintain effective controls in the first place.

Cyber Essentials Plus is the cleanest single artefact for evidencing the technical-controls layer of that trustee responsibility. It produces an external, dated, assessor-signed certificate that says the five technical controls were in place on assessment day. That is what the Commission's framework expects trustees to be able to point at.

The five controls translate into the practical work of donor-data confidentiality and beneficiary-data protection without much friction. Firewalls keep traffic that should not reach the charity's network from reaching it. Secure configuration removes default credentials and exposed services from the charity's devices. User access control restricts donor and beneficiary folders to the people working on the casework or the fundraising. Malware protection runs on every device that touches donor or beneficiary data. The 14-day patching window for high-severity vulnerabilities keeps the operating system and application layer current against known exploits.

A charity holding those controls is meeting the practical work of the trustee duty. A charity without them is exposed at the next funder due diligence and at the next ICO incident report.

What funders and grant-makers ask for

Funders and grant-makers run cyber due diligence on their grantees. The questionnaire is the deliverable. The questions on it have moved from optional to mandatory across most major funder cohorts.

National Lottery Community Fund, the larger trust funders, central government grant-making bodies, and major corporate philanthropy programmes now ask about cyber security controls in funding applications above certain thresholds. Many name Cyber Essentials or Cyber Essentials Plus by name as a preferred or required artefact. The threshold is funder-specific.

For digital service delivery grants, where the funded work depends on the charity's IT estate, the cyber requirement is usually firmer. Funders backing helpline services, online beneficiary support, digital safeguarding tools, or data-driven research expect the charity to have cyber controls in place commensurate with the digital risk.

The certificate question always sits at the top. The funder wants the certificate number, the issuing certification body, and the expiry date. A current CE Plus answers this in one line.

Beyond the certificate, funders increasingly ask about multi-factor authentication coverage on staff accounts, patching cadence on the donor and beneficiary systems, and the charity's incident-response process. CE Plus assessment day samples the identity layer and the patching cadence. The incident-response process sits alongside the certificate in the charity's broader governance arrangements.

Where the answers land varies sharply by which certificate the charity holds. With a current CE Plus, the cyber section of the funder due diligence closes on the certificate alone. With CE Basic, parts of it close. With neither, the charity faces a longer due-diligence conversation that may delay the funding decision past the funder's review cycle.

The donor-data and beneficiary-data layer

UK GDPR places the charity, as data controller, in the responsibility chain for the personal data it holds. Donor data is identifiable personal data. Beneficiary data, particularly for charities working in safeguarding, mental health, refugee support, or similar sensitive sectors, often includes special-category data attracting additional protections.

The ICO Guide to UK GDPR sets out the security principle (Article 5(1)(f)) and the security obligation (Article 32). The charity must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

Cyber Essentials Plus addresses the technical-measures layer of that obligation. It does not address the organisational-measures layer (data-protection policies, staff training, data-protection impact assessments) which sit alongside in the charity's broader data-protection programme. A charity with CE Plus has the technical-measures evidence for the ICO. The organisational-measures evidence sits in policy, training records, and DPIAs. (per the latest resilience compliance framework update).

For charities holding special-category beneficiary data, the layered approach matters more. The technical evidence from CE Plus is necessary but not sufficient. The organisational policies and the practical safeguards around access to beneficiary records are equally important.

The IT-budget reality

The honest framing for most charities is that the IT function is small, part-time, or outsourced to a generalist provider with sector-aligned pricing. That does not change what CE Plus checks. It does change how the engagement gets scoped and run.

Most charities run on Microsoft 365 plus a CRM (Salesforce NPSP, Microsoft Dynamics, or a sector-specific platform like Donorfy or Beacon) plus a finance system (Xero, QuickBooks, or similar) plus a website with a donation gateway. The outsourced IT provider usually covers desktops and the M365 tenancy. The CRM vendor handles the CRM. The finance vendor handles the finance system. The donation gateway is usually run by a payment-card-compliant third party.

CE Plus checks layers across all of these.

Application-layer patching on the CRM, the finance system, the case-management application if the charity runs one, and the website. Browser plug-ins and extensions used by the fundraising team. Firmware on the perimeter device, which the IT provider often relies on the network vendor to handle. Identity-layer hygiene, including MFA coverage on the trustee, CEO, and director accounts that often have administrative-level access. Boundary controls between the charity's network and the payment-card environment, particularly where the donation gateway is integrated into the website.

The first scan in a CE Plus engagement reveals the gap between what the IT provider manages and what the assessor will sample.

A pattern that turns up regularly across charity engagements: the CRM is on a vendor release that was superseded several months ago, with a known high-severity vulnerability the charity never applied because the upgrade required scheduling around the fundraising calendar and nobody owned the calendar. The IT provider applied OS patches and treated the charity as patched. The application-layer gap sat outside the IT provider's scope until the assessor's report landed.

The fix is operational, not confrontational. The IT provider retains the desktop and Microsoft 365 work. The CE Plus assessor and the charity agree the application-layer remediation owner for each finding. The CEO or operations director makes the operational call on the CRM upgrade scheduling around the fundraising calendar. The certificate issues once the gap closes.

How CE Plus and Cyber 365 fit together

A CE Plus certificate is valid for 12 months. The trustee duty and the funder due-diligence cycle are continuous. The donor-data and beneficiary-data confidentiality obligations under UK GDPR are continuous. Those timeframes do not line up with annual certification.

That is what the Cyber 365 programme is for. Continuous vulnerability scanning runs against the same surface the assessor will check. Managed patching closes findings inside the 14-day window the scheme requires. The next assessment day becomes a check-in against an estate that has been kept in shape, not a recovery operation against a year of drift.

For a charity operating under trustee duty and funder due-diligence expectations, the combination is the closer fit on the cyber side. The certificate proves the controls were in place on assessment day. The continuous discipline proves they have stayed in place since.

The Danzell assessment platform that came in April 2026 made year-round scanning and patching explicit in the Cyber Essentials scheme. Under the previous Marlin platform, the strict reading was that scanning at renewal could clear the patch-management control. Under Danzell, the scheme requires continuous discipline. The continuous-posture expectation that funders and the Charity Commission already implied has now been written into the scheme rules the certificate sits inside.

Where to start

Book a 30-minute scoping call. We need the device count for the charity, the CRM and finance system names, the current patching arrangement, whether multi-factor authentication is enabled across all accounts including trustee and director accounts, and the funder deadline if you have one. We come back with a written quote covering the CE Plus engagement and, if the charity wants the year-round discipline added, the Cyber 365 programme alongside it.

For charities with a tight funder deadline, the 4-day fast-track path demonstrates the fast-engagement shape (the same pattern works for non-NHS charities). For charities wanting the full hands-off engagement, the hands-off path covers the broader scope. For charities wanting both the certificate and the year-round discipline wrapped together, the CE+ Assured Programme bundles the CE Basic and CE Plus assessments with Cyber 365 into one monthly subscription.

The IASME £25,000 cyber insurance comes free with every Cyber Essentials certificate for qualifying UK SMEs under £20 million turnover. Most charities qualify. It is between the certified charity and IASME. NetSec does not bundle, broker, or upsell it.

The trustee duty places responsibility on the board for safeguarding the charity's digital assets and the personal data the charity holds. Cyber Essentials Plus produces the dated, externally-verified evidence that the technical controls protecting those assets were in place. Cyber 365 produces the continuous discipline the trustee duty and the funder cycle expect between assessment days.

netsec-canary-83e7099df3d1.