9 April 2026
At a Glance
Cyber Essentials version 3.3 introduces stricter requirements around patch management, multi-factor authentication, cloud security and assessment evidence. From April 2026, organisations must demonstrate continuous compliance, including applying critical security updates within 14 days. Businesses that fail to meet these standards risk certification failure, making proactive security management and ongoing vulnerability monitoring increasingly important.
Is your organisation ready for Cyber Essentials v 3.3? Contact Redpalm for an assessment to find out.
What’s Changing in Cyber Essentials, and What Does It Mean For Your Organisation?
IASME has introduced a series of updates to Cyber Essentials, which take effect on April 27, 2026. After this date, all new assessments will be based on Cyber Essentials Requirements for IT Infrastructure version 3.3, also known as Danzell.
These changes do not fundamentally alter the scheme itself. However, they do tighten expectations around how controls are applied, evidenced and maintained. This applies particularly in areas such as patching, MFA and cloud services.
This guide breaks down the new updates to Cyber Essentials and what your organisation must prepare for.
The New 14-Day Patching Rule Explained
A key shift is the move towards defined remediation expectations, with a 14-day window now expected to be consistently met. Cyber Essentials v 3.3 will introduce stricter expectations for patching vulnerabilities. According to the April 2026 changes to Cyber Essentials, organisations must install the following within 14 days of release:
- High-risk operating system updates
- Critical application patches
- Firewall firmware updates
- Router firmware updates
- Updates and vulnerability fixes for applications, including associated files and extensions
Failure to meet the 14-day remediation window may lead to automatic failure of the Cyber Essentials assessment.
If patching is not possible, organisations need to ensure that affected systems are segregated and removed from internet exposure.
These Cyber Essential updates reduce flexibility and place greater emphasis on ongoing control, rather than point-in-time preparation ahead of certification.
For many organisations, this means:
- Less tolerance for inconsistency across systems
- Greater importance on preparation ahead of renewal
- Increased focus on maintaining a continuous state of compliance
In practical terms, environments that are actively managed and monitored will move through certification with significantly less friction than those relying on periodic fixes.
How Redpalm Are Supporting This Transition
We are already working with clients to assess the impact of these changes ahead of renewal, ensuring that any gaps are identified early and addressed in a structured way.
Alongside this, our Vulnerability Management as a Service (VMaaS) provides a continuous operational control layer behind Cyber Essentials.
This includes:
- Ongoing visibility of vulnerabilities across all devices
- Patch validation and remediation tracking aligned to defined timeframes
- Structured reporting to maintain clarity and control
- Alignment with UK security standards beyond certification alone
This approach ensures that compliance is not treated as a one-off exercise, but as something maintained consistently throughout the year.
Full Breakdown of the Changes to Cyber Essentials
Key highlights of the changes to Cyber Essentials from April 2026:
- MFA is mandatory: Multi-factor authentication (MFA) is a must for cloud services. Otherwise, it can result in an automatic assessment failure.
- 14-day patching rule: All high-risk or critical security updates must be applied within 14 days of release. Otherwise, they may result in an automatic assessment failure.
- “Point in time” clarification: Organisations need to ensure their systems are supported at the date of certification, which is the “point in time”.
- Clearer scope requirements: The update reduces ambiguity around scope permissions and exclusions.
- Cyber Essentials Plus requirements: Additional vulnerability sampling during CE+ assessments and prohibiting amendments to self-assessment once testing has begun.
The full update, including key areas of change and practical impacts, is outlined here:
What To Do Next
No immediate action is required. Your dedicated Client Manager will be in touch ahead of your next renewal to guide you through any required changes.
If your certification is approaching, we recommend allowing additional time for preparation and avoiding assumptions that previous submissions will pass unchanged.
Redpalm’s cyber security experts can help you:
- Assess your current readiness
- Identify compliance gaps
- Implement necessary controls
- Prepare evidence for assessment
- Support Cyber Essentials and Cyber Essentials Plus certification renewal
If you would like a clearer view of your current position or to see how VMaaS supports ongoing compliance, we can arrange a short walkthrough.
Book a Cyber Essentials readiness assessment with us today.
FAQs
When do the new changes to Cyber Essentials come into effect?
The Cyber Essentials changes take effect on April 27, 2026. If your organisation begins certification after this date, you’re likely to complete the assessment using the updated guidance and question set.
Can I fail Cyber Essentials if MFA is not enabled?
Yes, from April 2026, if MFA on a cloud service is not enabled, your CE assessment may automatically fail.
What happens if I miss the 14-day patching window?
If you fail to install high-risk or critical updates, you risk an automatic failure of your assessment.