Cyber Essentials Renewal: What You Need to Know
Cyber Essentials Renewal: What You Need to Know
Your Cyber Essentials certificate is valid for 12 months. Not 13 and not "roughly a year." Twelve months from the date printed on the certificate. When it expires, everything attached to it is gone. The certification, the badge on your website, the line on your tender responses, and the £25,000 of free cyber insurance that came with it.
Most organisations treat their first CE assessment as a project. They prepare for it, they allocate time and budget, someone owns it, and it gets done. The renewal, for some reason, gets treated as an afterthought. I've had clients ring me six days before expiry asking if we can turn it around. We can (our fast-track turnaround is 12 hours for CE Basic), but it shouldn't come to that. The assessment is the same difficulty whether you start preparing six weeks early or six days early. The only difference is how much stress you're under.
If you're approaching your first renewal, or if you've let one lapse and you're coming back, here's how the process works and where people get caught out.
When should you start preparing?
Six to eight weeks before your certificate expires. That's the window I'd recommend for most organisations.
The assessment itself doesn't take long to complete. CE Basic is a self-assessment questionnaire, and if your controls are in order, you can complete it in a day. CE Plus includes hands-on technical testing and takes three to five days. But the work happens before the assessment, not during it. You need time to audit your current setup, fix anything that's drifted, and confirm everything still meets the standard.
Six weeks gives you enough room to find problems, fix them, and get assessed without rushing. If you leave it until two weeks before expiry and discover your patching is three months behind, you don't have time to fix that and get certified before the certificate runs out.
Here's a rough timeline:
| Weeks before expiry | What to do |
|---|---|
| 6-8 weeks | Audit scope, check patching, review MFA, identify gaps |
| 4-6 weeks | Fix identified issues, update documentation |
| 2-4 weeks | Book your assessment, complete the questionnaire |
| Assessment week | Submit, respond to assessor queries, receive certificate |
We turn around CE Basic assessments in 48 hours as standard (12 hours on fast track) and provide quotes within 24 hours. But that's the assessment itself, and the preparation is on you.
What's the renewal assessment like?
It's the same as the first time around. There's no simplified renewal form, no abbreviated version, no "just confirm nothing's changed" option. You're actually starting the process from scratch. You complete the full self-assessment questionnaire against whatever version of the requirements is current at the time of your renewal.
That last point is the one that catches people. When you first certified, you met the requirements as they stood at that date. When you renew, you meet the requirements as they stand on your renewal date. If the requirements have changed, you're assessed against the new version.
This is particularly relevant right now in 2026. The Danzell question set replaces Willow for all new assessments from 27 April 2026. If your certificate expires after that date, your renewal assessment uses Danzell, not Willow.
The underlying requirements document has moved from version 3.2 to version 3.3. The five controls are the same, but the scope rules, cloud service definitions, and MFA expectations have changed. If you passed under Willow a year ago and you're renewing under Danzell, you're not just confirming things are the same. You're meeting a newer, broader standard than before.
The Willow to Danzell transition
If your current certificate was issued under Willow and expires after 27 April 2026, here's what you need to know.
CE certificates issued under Willow remain valid until their printed expiry date. You won't lose your current certificate early. A Willow-issued CE certificate remains valid until 27 October 2026 at the latest (six months after Danzell goes live). CE Plus certificates issued under Willow remain valid until 27 January 2027.
Your renewal will use Danzell. Any new assessment started after 27 April 2026 uses the Danzell question set against v3.3 of the requirements. There's no option to renew under Willow after that date.
The biggest changes for renewal candidates:
Cloud services can no longer be excluded from scope. If you structured your previous scope to leave cloud services outside the boundary, that won't work under Danzell. Microsoft 365, Google Workspace, your CRM, your accounting platform, cloud-based project management tools. If it holds your data and you log into it with an account, it's in scope.
MFA on cloud services is a hard requirement. If a cloud service supports MFA and you haven't enabled it, you fail. There is no assessor discretion on this point. Under Willow, there was some room for interpretation. Under Danzell, the requirement is binary with no middle ground.
Partial scope now needs explicit justification from the applicant. If you're using a partial scope (not all of your IT infrastructure is included in the assessment), you'll need to explain to the assessor why those exclusions are justified. Under Willow, you could declare a partial scope without much challenge. That approach has changed significantly under Danzell.
Individual certificates per legal entity are now expected. It's been indicated that under Danzell, each legal entity within a group needs its own certificate. If your organisation has multiple legal entities and previously certified them under a single assessment, check whether that approach still works with your assessor.
Where do organisations fail at renewal?
I've certified over 800 organisations across every sector. The renewal failures follow the same patterns year after year.
Patch management drift. This is the number one cause. At the time of the first assessment, patching was up to date. Over the following 12 months, it slipped. The IT team got busy, the MSP changed their schedule. A few updates caused problems so someone paused automatic updates and forgot to turn them back on. By renewal time, devices are 60 to 90 days behind on critical patches.
The requirement is 14 calendar days for anything with a CVSS score of 7.0 or above. That hasn't changed between Willow and Danzell. But if your patching was tight a year ago and nobody's been monitoring it since, you'll discover the gap at the worst possible time.
The difference between a stressful renewal and a straightforward one often comes down to whether someone was monitoring patching between assessments or just assuming it was happening. A fortnightly vulnerability scan catches drift as it occurs, not 12 months later. The guide on why auto-updates aren't enough explains what ongoing scanning involves and how it turns renewal into a confirmation rather than a discovery.
Cloud scope creep. Your organisation adopted two new cloud services since the last assessment. A new project management tool and a shared file storage platform. Nobody thought to check whether MFA was enabled or whether the service met the CE configuration requirements. Under Danzell, cloud services can't be excluded, so any new service adopted since your last assessment is automatically in scope.
MFA not enabled on new services. Related to scope creep. Someone set up a new tool, the onboarding process didn't include turning on MFA, and now there's a cloud service in scope without multi-factor authentication. For renewal under Danzell, this is an automatic failure. (following the revised hardening assessment protocol).
Forgotten devices. A server that nobody actually logs into but still connects to the internet. A test laptop in a cupboard that hasn't been updated in months. A router at a branch office that's still on factory firmware. If the device is powered on and connected, it's in scope. The devices that get forgotten between assessments are the ones that fail.
Staff changes. The person who handled the first assessment has left. The new person doesn't know what was in scope, what the configuration documentation said, or where the MFA records are kept. If there's no handover and no documentation, the renewal process starts from scratch.
How is renewal different from the first time?
The assessment is identical, but the preparation is different.
First-time candidates are usually building controls from scratch or formalising controls they already had in place informally. They're making conscious decisions about scope, documenting configurations for the first time, and turning on MFA across their cloud services.
Renewal candidates should already have all of that in place. The preparation work is about confirming things haven't drifted, not about building from the ground up. In theory, that should make renewal easier. In practice, it often isn't, because things drift more than people actually expect over 12 months.
The question I'd ask yourself: could an assessor walk in today and find everything the same as (or better than) last time? If the answer is yes, renewal is quick. If the answer is "I think so but I'm not sure," that uncertainty is exactly why you should start six weeks early.
Insurance and renewal
The CE scheme includes up to £25,000 of free cyber insurance for eligible organisations with turnover under £20 million. That insurance cover runs with your certificate, so when the certificate expires the insurance expires with it.
When you renew and receive a new certificate, a new insurance policy activates. You should notify your insurer within 30 days of receiving your new certificate to make sure the coverage is properly recorded.
If you let your certificate lapse, you lose the insurance cover during the gap. If an incident occurs between your old certificate expiring and your new one being issued, you're not covered. That's a risk that's easy to eliminate by renewing before expiry, not after.
If your organisation also holds separate cyber insurance (beyond the free £25,000 included with CE), check whether your policy requires CE certification as a condition. Some insurers offer premium reductions of 5-15% for CE holders. Letting the certificate lapse could affect those terms.
CE Plus renewal specifics
CE Plus renewal follows the same principle: full assessment against the current version of the requirements. But there are additional considerations worth knowing about.
The Verified Self-Assessment (VSA) comes first. You complete the CE Basic self-assessment questionnaire and it's verified before CE Plus testing begins. Your answers in the VSA can't be changed after CE Plus testing starts. If the VSA says your patching is within 14 days and the CE Plus scan finds a device 30 days behind, that's a failure and a credibility problem.
Double sampling under Danzell. This is new and it matters. If the first internal vulnerability scan finds unpatched critical or high-risk vulnerabilities older than 14 days, a second random sample of the same size is taken from your remaining devices. The assessor selects the second sample, not you, with a maximum of three days notice. Both samples must pass within a single 30-day remediation window. If the second sample also has vulnerabilities, the assessment fails. There's no third sample.
The purpose of double sampling is to catch organisations that patch the devices they expect to be sampled but leave the rest. If you've got 200 devices in scope and your first sample of 20 turns up a missed patch, the second sample of 20 comes from the other 180. You don't get to choose which 20.
VSA accuracy matters more than ever. It's been indicated that if the second sample shows your 14-day patching claim doesn't hold across the estate, the VSA itself could be revoked. That's a serious outcome, so fill in the VSA honestly. If your patching isn't consistent across every device, fix it before you submit.
Staying compliant between assessments
The best way to make renewal easy is to not let things drift in the first place, which sounds obvious until twelve months from now, it won't feel obvious.
Set a recurring calendar reminder. Eight weeks before your certificate expiry date, trigger the preparation process. Don't rely on someone remembering to start the process.
Monitor patching monthly. You don't need to do a full audit every month. You need someone checking that automatic updates are running, that nothing's been paused, and that your devices are within the 14-day window for critical and high-risk patches.
Review cloud services quarterly. Every time your organisation adopts a new cloud tool, add it to your scope list and check that MFA is enabled. This takes five minutes if you do it regularly. It takes days if you wait until assessment time and discover three services you didn't know about.
Document staff changes. When someone leaves, disable their account. When someone joins, make sure their device meets the standard and their access is appropriate. When the person responsible for CE compliance changes role, make sure there's a proper handover.
Keep your scope description current. If you've added a new office, adopted new technology, or changed how your team works, your scope may have changed. Don't wait until renewal to discover your scope description no longer matches reality.
Net Sec Group offers ongoing monitoring and managed compliance as part of our Cyber365 service, which covers vulnerability scanning, patching, and endpoint detection alongside CE and CE Plus certification. If maintaining compliance between assessments is something you'd rather not manage internally, that's what it's for.
Key dates
| Date | What happens |
|---|---|
| 27 April 2026 | Danzell mandatory for all new assessments |
| 27 October 2026 | Last possible validity date for Willow CE certificates |
| 27 January 2027 | Last possible validity date for Willow CE Plus certificates |
Your renewal date is 12 months from when your current certificate was issued. Check the date now before moving on, because if it falls after 27 April, you'll be assessed under Danzell.
What to do right now
Check your certificate expiry date and set a reminder for eight weeks before it. Between now and then, keep your patching on schedule, MFA on everything, and your scope documentation current. When the eight-week reminder fires, run through the preparation steps and book your assessment.
Renewal is not harder than the first time. It just requires you to treat it with the same seriousness. The organisations that struggle at renewal are the ones that assumed nothing would change in 12 months, and something always changes.
Related articles
- Cyber Essentials v3.3: What the Danzell Update Changes
- Cyber Essentials Plus Second Sample Rule Under Danzell
- 14-Day Patching: What the Requirement Actually Means
- Danzell vs Willow: What Changed
- Can AI Actually Do a Pen Test?
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Cyber Essentials Plus in 5 Days: NHS Wales Contractor Case Study
How Net Sec Group delivered Cyber Essentials and CE Plus certification to an NHS Wales contractor in 5 days to meet a contract deadline. The full process from scoping to certification.
How Long Does a Cyber Essentials Plus Assessment Take?
CE Plus testing takes 1-3 days depending on your sample size. But the timeline starts at basic CE and has mandatory windows you can't compress.
Cyber Essentials Plus Assessment Process: What Actually Happens
Five test cases, a sampling methodology, and a 30-day remediation window. Here's what the CE Plus assessment covers and what to expect.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.