Cyber Essentials Plus for UK Tech and SaaS Companies: B2B Customer Cyber Reviews, SOC 2 Adjacency, and the Multi-Tenant Cyber Expectation
Cyber Essentials Plus for UK Tech and SaaS Companies: B2B Customer Cyber Reviews, SOC 2 Adjacency, and the Multi-Tenant Cyber Expectation
UK tech and SaaS companies face cyber due diligence from every B2B customer that runs enterprise procurement. SOC 2 is the global default for North American enterprise buyers. Cyber Essentials Plus is the UK-anchored evidence that opens UK enterprise procurement, public-sector procurement, and UK regulated-industry contracts. The multi-tenant SaaS cyber expectation makes both standards more important than they would be for a single-tenant business, because a control failure affects every customer simultaneously.
What follows is what B2B customers actually ask for, where CE Plus and SOC 2 sit relative to each other, what the multi-tenant cyber picture looks like in CE Plus terms, and how a UK SaaS company with cloud infrastructure and a developer team clears the assessment.
How CE Plus and SOC 2 sit relative to each other
SOC 2 is the global SaaS attestation standard issued under AICPA criteria. SOC 2 Type II is what most North American enterprise customers ask for. The attestation covers the security trust services criterion at a minimum, with optional criteria for availability, processing integrity, confidentiality, and privacy. The audit period typically runs 6 to 12 months with an external auditor.
Cyber Essentials Plus is the UK government scheme covering five technical controls. The certification window is 12 months. The assessment is run by an IASME Certification Body. The external evidence is the assessor's sample report alongside the questionnaire.
The two standards overlap on technical controls. Both expect firewalls, secure configuration, controlled user access, malware protection, and timely patching. SOC 2 goes further on operational discipline (change management, monitoring, incident response, vendor management) under the security criterion. CE Plus stays focused on the five technical controls but applies them across the whole IT estate the firm scopes in.
For UK SaaS companies serving both UK and North American B2B markets, the practical answer is that both standards apply to different procurement contexts. SOC 2 closes the North American enterprise procurement question. CE Plus closes the UK enterprise procurement, UK public sector, and UK regulated-industry question. Holding both is the strongest position. Holding only one is weaker than necessary for a SaaS company with mixed geographic customers.
A UK SaaS company holding CE Plus has the UK-anchored cyber-controls evidence. A UK SaaS company holding SOC 2 alone has the North American evidence but may face friction in UK enterprise procurement, particularly in public sector and regulated industries that name CE or CE Plus by default.
What B2B customer cyber due diligence wants
Enterprise B2B customers running cyber due diligence on their SaaS suppliers run a structured questionnaire. The questions on it have settled into a recognisable pattern across the engagements we have run.
The certificate question always sits at the top. The questionnaire wants the names and current expiry dates of cyber security certifications the supplier holds, with Cyber Essentials Plus, SOC 2, ISO 27001, and HIPAA-readiness (for US healthcare-adjacent customers) as the most-named items. A current CE Plus answers the UK-anchored portion of this question in one line.
After the certificate comes multi-factor authentication. The questionnaire wants confirmation that MFA is enabled on every account with access to customer data, including operational team accounts and any privileged developer or administrator account. CE Plus assessment day samples the identity layer to confirm what is actually enrolled.
Patching cadence is next. The questionnaire wants to know whether the SaaS supplier holds patches inside the 14-day window across the application infrastructure, the developer laptops, the operational tooling, and the office IT estate. The CE Plus assessment confirms the cadence held in practice across a sample of devices.
The remaining questions move from technical controls into operational governance. The B2B customer wants a named incident-response contact, a documented response process with defined notification thresholds, evidence that the SaaS supplier assesses its own third-party vendors (sub-processors under UK GDPR terminology), data-handling practices, and where the customer data is stored. CE Plus does not directly assess all of these layers. The portions inside CE Plus scope are the cyber-controls layer of the answer. The data-handling, sub-processor management, and storage-location questions sit alongside in the SaaS supplier's broader compliance arrangements.
Where the answers land varies sharply by which certificates the supplier holds. With current CE Plus and SOC 2, the cyber section of due diligence closes on the certificates. With one of the two, parts of it close depending on the customer's geography. With neither, the supplier faces a long-form security audit, often on a deadline that came from the customer's procurement rather than from the supplier's roadmap.
The multi-tenant cyber expectation
SaaS companies hold customer data on shared infrastructure. A cyber control failure on the shared infrastructure affects every customer simultaneously. This is the structural distinction between SaaS and most other business models.
The implication for the B2B customer running cyber due diligence is that the SaaS supplier's cyber posture is not just about protecting the supplier's own data. It is about protecting every customer whose data sits in the SaaS environment. The customer's interest in the supplier's cyber posture is therefore higher than it would be for a single-tenant supplier.
The implication for the SaaS supplier is that the cyber posture has to be visible, externally evidenced, and continuous. A SaaS company that experiences a cyber incident affecting customer data faces a multi-customer disclosure obligation under UK GDPR, the customer contracts, and the customer's downstream stakeholders. The reputational consequence is multiplied across every customer in the affected scope.
Cyber Essentials Plus addresses the externally-evidenced layer of the cyber posture. The continuous-discipline layer sits in Cyber 365 alongside the certificate. The contractual and disclosure layer sits in the supplier's own legal and customer-success arrangements.
How CE Plus interacts with cloud-hosted infrastructure
UK SaaS companies typically run on hyperscale cloud (AWS, Azure, GCP) for the application infrastructure. The cyber controls then split between the cloud provider's responsibility and the SaaS supplier's responsibility under the cloud provider's shared-responsibility model. (per the latest hardening compliance framework update).
The cloud provider is responsible for the security of the cloud (the underlying physical infrastructure, the hypervisor, the network fabric, the cloud-control-plane services). The SaaS supplier is responsible for security in the cloud (the application, the configuration of the cloud services they consume, the identity-layer controls, the access-management approach).
CE Plus scope covers the SaaS supplier's responsibility layer. The application infrastructure within the supplier's control. The configuration of the cloud services the supplier consumes. The identity layer used to access the cloud environment. The SaaS supplier's own laptops, the office IT, and any operational tools used by the team.
The cloud provider's underlying infrastructure sits in the cloud provider's own compliance attestations (AWS SOC 2 Type II, Azure ISO 27001, GCP SOC 2). The B2B customer's due-diligence questionnaire usually accepts those attestations on the cloud provider's portion.
This means CE Plus is the right scope for the SaaS supplier's responsibility layer. The supplier does not need to assess the cloud provider's underlying infrastructure under CE Plus, because that infrastructure sits outside the supplier's control. The supplier does need to assess the configuration of what they consume on top of the cloud provider, including the identity-layer setup, the network configuration the supplier owns, and the operational tooling.
The developer pipeline and laptop estate
The developer laptop estate, the source-code repository, the CI/CD pipeline, and the deployment tooling are where the SaaS-specific gap most often shows up in CE Plus engagements.
A developer laptop with administrative access to production cloud infrastructure is a high-value target. A CI/CD pipeline that deploys code automatically to production with embedded secrets is a high-value target. A source-code repository with credentials embedded in commits is a high-value target. The cyber controls protecting these layers matter for the SaaS company's cyber posture in a way they do not for most non-SaaS companies.
CE Plus assessment day samples the developer laptops alongside the operational team's devices. The assessor confirms that the developer laptops are patched inside the 14-day window, that MFA is enabled on the developer accounts, that malware protection is running, and that the secure configuration controls held. Where the developer team uses BYOD on personal laptops for development work, the BYOD policy and its technical enforcement become a focus of the assessment.
A pattern that turns up regularly across SaaS engagements: developer laptops are on a release of the operating system that was superseded several months ago because the developers prioritised feature work over the upgrade window. The MSP (where the SaaS company has one) covered the office desktops and treated the company as patched. The developer-laptop gap sat outside the MSP's scope until the assessor's report landed.
The fix is operational, not confrontational. The MSP retains the office desktop and Microsoft 365 work. The CE Plus assessor and the head of engineering agree the developer-laptop remediation owner. The CTO makes the operational call on the laptop-upgrade scheduling around the development calendar. The certificate issues once the gap closes.
How CE Plus and Cyber 365 fit together
A CE Plus certificate is valid for 12 months. SaaS companies ship continuously, with infrastructure changing weekly and the application changing daily. The B2B customer's cyber expectation is for a continuous posture, not an assessment-day posture.
That continuous posture is what the Cyber 365 programme is for. Continuous vulnerability scanning runs against the same surface the assessor will check. Managed patching closes findings inside the 14-day window the scheme requires. The next assessment day becomes a check-in against an estate that has been kept in shape, not a recovery operation against a year of drift.
For a UK SaaS company facing continuous B2B customer due diligence and continuous infrastructure change, the combination is the closer fit. The certificate proves the controls were in place on assessment day. The continuous discipline proves they have stayed in place since.
The Danzell assessment platform that came in April 2026 made year-round scanning and patching explicit in the Cyber Essentials scheme. Under the previous Marlin platform, the strict reading was that scanning at renewal could clear the patch-management control. Under Danzell, the scheme requires continuous discipline. The continuous-posture expectation that B2B SaaS customers already implied has now been written into the scheme rules the certificate sits inside.
Where to start
Book a 30-minute scoping call. We need the company size, the cloud infrastructure (AWS, Azure, GCP, or hybrid), the developer-laptop position (managed vs BYOD), the current patching arrangement, whether multi-factor authentication is enabled across all accounts including developer and administrative accounts, and any B2B customer due-diligence deadline if you have one. We come back with a written quote covering the CE Plus engagement and, if the company wants the year-round discipline added, the Cyber 365 programme alongside it.
For SaaS companies wanting both the certificate and the year-round discipline wrapped together, the CE+ Assured Programme bundles the CE Basic and CE Plus assessments with Cyber 365 into one monthly subscription.
The IASME £25,000 cyber insurance comes free with every Cyber Essentials certificate for qualifying UK SMEs under £20 million turnover. It is between the certified company and IASME. NetSec does not bundle, broker, or upsell it.
The multi-tenant SaaS cyber expectation places the responsibility on the company for the cyber posture protecting every customer's data. Cyber Essentials Plus produces the dated, externally-verified evidence that posture was in place on assessment day. Cyber 365 produces the continuous discipline the SaaS shipping cadence requires between assessment days.
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Cyber Essentials Plus for NHS Suppliers: DSPT Alignment, Procurement Frameworks, and Patient-Data Confidentiality
NHS suppliers come to Cyber Essentials Plus through three doors: the Data Security and Protection Toolkit, the procurement frameworks NHS England and NHS Trusts run for IT and clinical-systems suppliers, and the patient-data confidentiality obligations under common law and the Caldicott principles. What CE Plus covers, what NHS procurement wants, and how a supplier with a tight contract deadline clears the assessment.
Cyber Essentials Plus for UK Accountancy Firms: ICAEW Standards, HMRC Data, and Client Mandate Cyber Reviews
UK accountancy firms hold HMRC-grade client data on every desktop. ICAEW and ICAS expect effective controls, corporate clients run cyber reviews on their auditors and tax advisers, and PI renewals ask increasingly specific cyber questions. What CE Plus covers, what reviewers want, and how a small partner-led firm with an outsourced MSP clears the assessment.
Cyber Essentials Plus for UK Charities: Trustee Accountability, Funder Requirements, and the Practical Path on a Tight Budget
UK charities face Cyber Essentials Plus from three directions: the Charity Commission's expectation that trustees protect charity assets, funders and grant-makers asking about cyber controls in funding applications, and donor-data confidentiality under UK GDPR. What CE Plus covers, what funders want, and how a charity with a small IT budget actually clears the assessment.
Cyber Essentials Plus for UK Construction: Main-Contractor Flow-Down, BIM Data Protection, and Project-Cyber Requirements
UK construction firms now meet Cyber Essentials Plus through main-contractor supply-chain flow-down, BIM and design data confidentiality on major projects, and the project-by-project cyber requirements that public-sector and large private clients now write into project documentation. What CE Plus covers, what main contractors want, and how a subcontractor or specialist firm clears the assessment.
Cyber Essentials Plus for UK Financial Services: FCA Operational Resilience, Third-Party Risk, and Client Mandate Requirements
FCA-regulated firms now meet Cyber Essentials Plus through three doors at once: operational resilience evidence for the regulator, cyber questionnaires from institutional clients, and increasingly specific PI and crime renewals. What the FCA expects, what the questionnaires want, and how a small in-house IT function clears the assessment.
Cyber Essentials Plus for UK Government Contractors: Central Government Framework, MoD Supply Chain, and OFFICIAL Data Handling
UK suppliers bidding for central government, local government, or MoD contracts now meet Cyber Essentials Plus as a baseline procurement requirement. CCS frameworks, PPN guidance, and Defence Cyber Protection Partnership all name the scheme. What CE Plus covers, what government procurement wants, and how a supplier with a tight bid deadline clears the assessment.
Cyber Essentials Plus for UK Law Firms: SRA Obligations, Client Confidentiality, and Panel Requirements
Law firms come to Cyber Essentials Plus through three doors: the SRA's accountability framework, panel-firm cyber questionnaires from corporate clients, and professional indemnity insurance renewals. What the scheme covers, what the regulator expects, and how a firm with a small IT function actually clears the assessment.
Cyber Essentials Plus for UK Manufacturers: Defence Supply Chain, Tier-1 Customer Audits, and OT/IT Convergence
UK manufacturers come to Cyber Essentials Plus through three doors: defence prime contractors flowing down DEFSTAN and JOSCAR cyber requirements, automotive and aerospace tier-1 customers running supplier cyber audits, and the operational-technology side of the business converging with the IT estate. What CE Plus covers, what tier-1 audits want, and how a manufacturing firm with mixed OT/IT scope clears the assessment.
Cyber Essentials Plus for UK Managed Service Providers: Why MSPs Hold the Certificate Their Customers Are About to Ask For
UK Managed Service Providers sit at the cyber supply-chain boundary for every customer they manage. Customers are now asking the MSP to evidence its own cyber posture before trusting the MSP with theirs. Cyber Essentials Plus is the artefact those customers want. What CE Plus covers for an MSP estate, what customer questionnaires want, and how an MSP whose own house is in disorder gets in shape.
Cyber Essentials Plus for UK Retailers and Hospitality: PCI DSS Adjacency, EPOS Estate, and Brand-Protection Insurance
UK retailers and hospitality operators run a payment-card environment, an EPOS estate across multiple sites, customer-loyalty databases, and supplier-portal integrations. Cyber Essentials Plus closes the cyber-controls section of the PCI DSS conversation, satisfies brand-protection insurance renewals, and answers the procurement questionnaires from B2B clients and suppliers.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.