Cyber Security for UK Charities 2026: What the Annual Return Asks
The 2026 Charity Commission annual return asks about cyber. NCSC Cyber Essentials, free guidance, and a 5-step plan for small UK charities.
Cyber Security for UK Charities 2026: What the Annual Return Asks
The 2026 Charity Commission annual return added explicit cyber security questions. What they ask, what NCSC Cyber Essentials covers, and a free 5-step plan for small UK charities — most of it free.
Last reviewed: 10/06/2026 · By Ivan Siyanko, CEO, CharityIQ.
TL;DR. The 2026 annual return added new questions on cyber incidents and cyber security policy. The NCSC provides free, charity-specific guidance. Cyber Essentials (£300-£500/yr) is the UK government-backed certification.
Why the Charity Commission added these questions
Three pressures: (1) sector incident data — rising serious incident reports for cyber; (2) funder due diligence — major UK funders increasingly ask about cyber posture; (3) regulatory expectation — ICO guidance under UK GDPR Article 32.
The 2026 annual return doesn’t expect ISO 27001. It expects you to have thought about cyber and answer three honest questions.
What the 2026 annual return asks
- Has the charity experienced any cyber incidents during the year?
- Does the charity have a cyber security policy?
- Has the charity considered cyber risks as part of its overall risk register?
Honest answers, including “no, but we’re working on it”, are accepted.
What “cyber” means for a small charity
Five things matter most: 1. Email security — most cyber incidents start with phishing. 2. Account access — strong passwords, MFA, no shared accounts. 3. Data backup — regular, tested. 4. Software patching. 5. Beneficiary and donor data protection — UK GDPR overlaps (see our GDPR checklist).
If your charity has these basics, you’re in the top 30% of small UK charities for cyber posture.
NCSC’s free guidance
The NCSC publishes a Small Charity Guide for charities up to 250 employees. Covers: backups, malware protection, smartphones, passwords, phishing.
Plus the Cyber Action Toolkit — bite-sized actions, ~5 minutes each.
For charities under 250 employees: free 30-minute consultation with a Cyber Advisor. Genuinely free, genuinely useful. Start here, not with paid consultancy.
Cyber Essentials — what it is and whether you need it
Cyber Essentials is UK government-backed certification covering five technical controls: firewalls, secure configuration, access control, malware protection, patch management.
Two levels: Cyber Essentials — self-assessment (£300-£500/yr); Cyber Essentials Plus — hands-on verification (£1,500-£3,000/yr).
Get it if: funder asks (many UK funders now require), you process sensitive data (safeguarding, mental health, asylum), you apply to public sector contracts. Otherwise: NCSC Small Charity Guide alone may be enough.
NCSC has run funded Cyber Essentials programmes covering certification cost for specific charity sectors. Check NCSC’s funded programmes.
From CharityIQ. CharityIQ tracks your charity’s cyber posture against NCSC’s small charity standards — incident log, policy version, training records. See compliance →
5-step cyber plan for the next quarter
90 days, under £200 spent (often free).
Week 1-2 — Audit and policy. Inventory your IT (devices, accounts, software, cloud). Adopt or update a cyber policy (1-2 pages). Add cyber to your risk register.
Week 3-4 — Email and accounts. Enable MFA on email, banking, payroll, CRM. Audit dormant accounts. 30-minute staff phishing briefing.
Week 5-6 — Data and backups. Test restore from backup to separate location. Patch operating systems, browsers, plugins. Document data flows (feeds UK GDPR ROPA).
Week 7-10 — Specific actions. Decide on Cyber Essentials. Run phishing simulation (educational, not punitive). Update sub-processor list. Set up incident response procedure.
Week 11-13 — Review. 15-minute trustee briefing. Tabletop exercise: “Suppose someone pays a fake invoice. What happens?” Document everything.
Common mistakes
1. Shared accounts — “easier” but breaks audit trail. 2. No MFA on banking — highest-risk gap; enable today. 3. Ageing software — Windows 7 still in use, plugins out of date. 4. No backup test — backups that haven’t been tested aren’t backups. 5. Phishing not trained — “common sense” isn’t enough. 6. Trustee oversight at zero.
FAQ
Q: Charities really targeted? Yes — soft targets with valuable data. Q: How much budget? £300-£1,500/yr covers most needs for small UK charity. Q: Volunteer training? Anyone with system access. Q: If we have an incident? Contain (disconnect, change passwords), report (insurance, IT provider), decide if Charity Commission serious incident or ICO breach. Don’t hide. Q: Cyber vs GDPR? Cyber covers technical/procedural protection; GDPR covers what you do with personal data legally. Often overlap. Q: UK charity-specific tools? NCSC free tools are charity-specific.
What to do this week
1. Read the NCSC Small Charity Guide. 2. Enable MFA on email and banking. Lowest-effort, highest-impact change. 3. Schedule 15-minute trustee briefing for next board meeting.
Cyber + GDPR + governance, in one place. Start a free 14-day CharityIQ trial. Join Waitlist →
Written by Ivan Siyanko, founder of CharityIQ.
Related: Annual Return 2026 · UK GDPR Checklist · Trustee Duties
Sources: NCSC Small Charity Guide · Cyber Essentials · gov.uk — Protect your charity · ICO — Security of processing