What Happens If You Fail Cyber Essentials Plus?

‍‌​‌​‌‌‌​‌​‌‌‌​​​‌​‌​​‌​‌​‌​‌‌​​​‌‌​​‌​‌‌​‌‌‌‌‌‌‌‌​‌‌‌‌‌‌​​​‌​​​‌‍CE Plus is the hands-on technical audit where an assessor tests your systems directly, rather than taking your word for it. That means vulnerability scans, MFA verification, patch checks, and firewall configuration testing on actual devices in your environment.

When those tests find something wrong, the question everyone asks is: what happens now?

The short answer: you get a chance to fix it. It's not an instant pass or fail. But the rules around how that works are changing under Danzell (from 27 April 2026), and the margin for error is getting smaller.

How CE Plus testing works

Before getting into what happens when things go wrong, here's what the assessment actually involves. The assessor (that's us, for Net Sec Group clients) runs a series of tests against a sample of your in-scope devices.

External vulnerability scan. A scan of your internet-facing systems to check for known vulnerabilities, open ports, and misconfigured services.

Internal vulnerability scan. A scan of a sample of internal devices to check for missing patches, particularly critical and high-risk vulnerabilities (CVSS 7.0 or above) older than 14 days.

MFA verification. Testing that MFA is genuinely enabled and working on cloud services, not just reported as enabled in the self-assessment.

Configuration checks. Verifying that the secure configuration requirements are met on sampled devices. Default passwords changed, unnecessary services disabled, screen locks active.

Malware protection check. Confirming that antivirus or anti-malware is installed, running, and up to date on sampled devices.

The assessor doesn't test every device; they test a sample. The assumption is that if the sample is compliant, the estate is compliant. Under Danzell, that assumption gets tested harder (more on double sampling below).

What happens when the scan finds something

If the vulnerability scan or any of the configuration checks find a non-compliance, you don't automatically fail on the spot.

You get a remediation window. The assessor tells you what they found. You fix the issue and they retest it. If the fix is confirmed, you pass that element.

The specifics of the remediation window depend on the nature of the finding and (from April 2026) the Danzell rules. But the general principle is the same: findings are flagged, you remediate, the assessor verifies the fix.

That's why our approach at Net Sec Group has always been to support you through the process rather than treat it as a gotcha exercise. We want you to pass, and that is the entire point of the process. If we find a missing patch during the scan, we'll tell you which device, which patch, and what to do about it.

Common findings during CE Plus

The same issues come up repeatedly across the assessments I run.

Missing patches on one or two devices. The main estate is current but a device got missed. A laptop that was off during the last update cycle. A server that doesn't auto-update, or firmware on a firewall that hasn't been touched in months.

MFA not working as expected. MFA is "enabled" in the admin console but conditional access policies have exceptions that bypass it in certain scenarios. Or legacy authentication protocols are still active, allowing sign-in without MFA.

Default credentials still active. A printer, a network switch, or a secondary admin account that nobody changed the password on. These are quick fixes once you know about them.

Unsupported software on a sampled device. A browser extension that's no longer maintained. An old version of Java, or a PDF reader that the vendor stopped updating.

The Danzell changes: what's different from 27 April

Under the Willow question set (current until April 2026), the remediation process has some flexibility. An assessor might record a non-compliance without failing the assessment outright, particularly for minor or isolated issues.

Danzell tightens this considerably, with several key changes:

Automatic failure for 14-day patching

If the vulnerability scan finds a critical or high-risk patch (CVSS 7.0 or above) that's been available for more than 14 days and isn't applied, this is expected to be an automatic failure with no assessor discretion. The patch was available, the 14-day window passed, the device wasn't updated, and the assessment fails.

This is the single biggest change for CE Plus clients. Under Willow, an assessor might have noted the issue and given you a chance to fix it before issuing the certificate. Under Danzell, the failure triggers the formal remediation process, including the possibility of double sampling.

Double sampling for internal vulnerability scans

This is the mechanism that makes the 14-day rule serious. Here is how the mechanism works in practice:

First sample. The assessor scans a random sample of internal devices. If everything's patched, you pass this element.

First sample fails. The scan finds one or more devices with critical or high-risk vulnerabilities older than 14 days.

Second sample triggered. The assessor selects a second random sample of the same size from the remaining devices in scope. You get a maximum of three days' notice before the second scan happens.

Single 30-day remediation window. You have 30 days to remediate the vulnerabilities found in both samples. You get one 30-day window covering everything, not 30 days per sample.

Second sample has any vulnerabilities? The assessment fails and IASME will revoke your basic CE certificate (VSA). The second sample is the verification that your entire estate is patched, not just the devices from the first sample. Any vulnerabilities found means the assessment fails.

No third sample. And if the assessment fails, data from the failed process cannot be reused. A fresh start means a new VSA and a new 90-day window.

What this means in practice. If you've got 200 devices in scope and the first sample of 20 turns up a missed patch, remediation must be applied across the entire estate, not just the 20 devices that were sampled. The second sample of 20 will be drawn from the remaining 180. You won't know which 20 until it happens. If your patching is inconsistent, double sampling will catch it.

Zero non-compliances expected

It's been indicated that CE Plus assessments under Danzell should show zero non-compliances. That was described as always having been the intended expectation, but it wasn't documented. Under Danzell, the expectation is expected to be made explicit.

VSA accuracy matters more

Your Verified Self-Assessment (the basic CE questionnaire) must be completed before CE Plus testing starts, and you can't change your answers after the test. The CE Plus audit is a verification of what you said in the VSA. (as noted in the December 2023 posture review).

If the VSA says your patching is within 14 days and the CE Plus scan says it isn't, that's a problem beyond just failing CE Plus. Under Danzell, a failed second sample will result in revocation of the basic CE certificate too, on the basis that the VSA answers were inaccurate.

Fill in the VSA honestly and accurately. If your patching process is mostly within 14 days but you know some devices slip, don't claim 100% compliance. The assessor would rather work with honest answers than discover discrepancies during testing.

What does the remediation process look like?

When the assessor flags a finding, here's the practical sequence:

1. You receive a findings report. It lists each non-compliant device or service, the specific issue, and the relevant CE requirement.

2. You fix the issues. For missing patches, that means installing them. For MFA gaps, that means enabling it. For configuration issues, that means changing the setting.

3. You tell the assessor you're ready. They schedule a retest of the specific items that failed.

4. The assessor retests. They check that the fixes are in place and working.

5. You pass (or the remediation window continues). If everything is fixed, the assessment proceeds. If not, you've still got time within the 30-day window.

The 30-day window applies to the full remediation cycle. If you fix everything in three days, the assessor retests in three days. You don't have to use the full 30 days.

What if you can't fix something within 30 days?

If a finding requires replacing hardware, deploying new software across a large estate, or waiting for a vendor to release a specific fix, 30 days might not be enough.

In that scenario, talk to your assessor. The options depend on the specific situation, but they might include:

• Documenting a compensating control (isolating the device, adding monitoring)
• Adjusting your scope to exclude the problematic system (only if it's genuinely justifiable under the scope rules)
• Pausing the CE Plus assessment and restarting when the issue is resolved

None of these options are guaranteed to work. The assessor has to make a judgement call. But the worst thing you can do is sit on the problem in silence until the 30-day window closes.

Can you fail CE Plus but keep basic CE?

Yes, because CE Plus and basic CE are separate certifications with separate certificates. Failing CE Plus doesn't automatically revoke your basic CE.

But there's a nuance under Danzell that matters here. If the CE Plus audit reveals that your VSA answers were wrong (not just slightly optimistic, but factually inaccurate), that calls into question the validity of the basic CE certification. In that scenario, the basic certificate could be revoked.

The practical protection against this: fill in the VSA honestly.

How to avoid failing CE Plus

The best CE Plus preparation is genuine compliance, not assessment preparation.

Patch everything within 14 days, not just laptops. Servers, firewalls, routers, cloud services, mobile devices. The scan will find the ones you forgot. Under Danzell, one missed critical patch older than 14 days is an automatic failure.

Verify MFA actually works. Don't just check the admin console. Try signing in without MFA and confirm it blocks you. Check that legacy authentication protocols are disabled. Check that conditional access policies don't have exceptions that bypass MFA.

Know your scope. Every device and cloud service in your scope needs to be compliant. If you're not sure whether something is in scope, it probably is. Check the Danzell scope rules if you're assessing after April 2026.

Check before the assessor does. Run your own vulnerability scan before the official assessment. Free tools exist for exactly this purpose. Find the problems yourself so there are no surprises when the assessor scans.

Be honest in the VSA. The CE Plus audit is a verification of your self-assessment answers. If your answers are accurate, the audit confirms them. If they're not, the audit exposes them. The assessor isn't trying to catch you out. They're checking whether reality matches what you said.

Test your own defences first. Run an internal vulnerability scan before the official audit. Use an NCSC-approved Cyber Essentials authorised scanner, which will show you exactly what the assessor's scan will find. Our CE Plus Pre-Assessment service can do this for you. Every finding you fix before the audit is one less thing to remediate afterwards. Most organisations that sail through CE Plus without any findings did their own scan first and fixed everything it flagged.

What about the cost?

CE Plus failure doesn't mean paying for an entirely new assessment. The remediation retest is part of the process. You fix the findings, the assessor retests the affected areas, and if they pass, the certificate is issued.

Where it costs you is time and scheduling. If you've got a client requirement or a contract deadline, a failed CE Plus audit adds days or weeks to your timeline. Double sampling under Danzell makes this worse because both samples have to pass within the same 30-day window, and that window sits inside the 90-day CE Plus deadline.

If the assessment fails entirely, you can't carry anything forward. Data from a failed CE Plus process cannot be reused in a new engagement. That means fresh scans, fresh samples, fresh everything. For organisations on government contracts where CE is a requirement, that gap could have real consequences.

The organisations that handle this well are the ones that build remediation time into their planning. Don't schedule your CE Plus audit the week before a contract deadline. Leave at least two weeks of buffer after the expected audit completion date.

The honest assessment

CE Plus failure is less dramatic than most people expect. You get a findings report, a remediation window, and a retest. Most organisations that fail on specific points fix them within days and pass on the retest.

The organisations that struggle are the ones with systemic problems, not isolated findings. If your patching process doesn't exist, you'll fail on multiple devices and double sampling will confirm it's a widespread issue. If MFA is only turned on for some accounts, the audit will find the gaps.

But if you're generally doing the right things and the assessment finds one or two items you missed, that's normal. Fix them, retest, and the certificate gets issued. The vast majority of organisations that go through this process end up with a stronger security posture afterwards, which is the entire point of the exercise.

If you want to check your readiness before committing to a CE Plus assessment, get in touch or take our readiness quiz. You can also see our CE Plus assessment options on the website.

---

Need help preparing for your Cyber Essentials assessment? Get in touch to discuss your situation or request a quote.

---

Related articles

• CE Plus Double Sampling: How the Second Sample Rule Works
• Failed Cyber Essentials? Here's What to Do Next
• Cyber Essentials v3.3: What the Danzell Update Changes

netsec-canary-f755278f52f0.