Quick answer: Cyber essentials renewal UK 2026: 12-month cycle, when to start, fee tiers, what’s changed in Willow, certification check via IASME registry, and what happens if your CE / CE+ lapses.
Last updated: April 2026 | Reviewed by: Connection Technologies team
Cyber Essentials Renewal UK 2026: Process, Cost & Late-Renewal Rules
Your Cyber Essentials certificate is valid for exactly 12 months from issue. Miss the cyber essentials renewal window and you don’t just lose the badge — you lose the right to bid for any UK government contract that mandates active certification, you lose the free £25,000 cyber-liability insurance that comes with whole-organisation scope, and you reset to the start of the assessment process.
This guide covers the full Cyber Essentials renewal process for UK businesses in 2026: when to start, what’s changed since your last assessment, how to handle the cyber essentials certification check that procurement teams now run, what to do if you’ve already lapsed, and how to make the next renewal painless.
When to start your Cyber Essentials renewal
IASME issues your certificate on the day you pass. From that date you have 12 months. The realistic timeline:
| Window | What to do |
|---|---|
| Day 1 (cert issued) | Diary the renewal date in your IT calendar. Set a reminder for Day 270 (90 days before expiry). |
| Day 270 — 90 days before expiry | Run a fresh internal gap analysis. Walk the five controls. Note any drift. |
| Day 300 — 60 days before expiry | Book your renewal slot with IASME / your assessor. Start any remediation. |
| Day 330 — 30 days before expiry | Submit the renewal SAQ. This gives you time for the free 48-hour re-submission if you fail. |
| Day 365 — expiry | Old certificate expires. New one should already be issued. |
For Cyber Essentials Plus the timeline starts earlier — at Day 240 — because the audit itself takes 6-12 weeks. See the Cyber Essentials Plus timeline for detail.
What’s changed since your last Cyber Essentials renewal
Cyber Essentials gets revised on a roughly two-year cadence. If you certified before April 2026 you’ll renew under the Willow standard. The big changes since the previous Montpellier release:
- Vulnerability fix window tightened — high-severity CVEs must be fixed in 5 days (previously 14 for some categories).
- Passwordless authentication accepted — passkeys and biometric authentication now satisfy Control 3 alongside MFA.
- AI / LLM tools brought into scope — any AI service handling business data (ChatGPT Enterprise, Copilot for M365, Claude for Work) is in scope as a cloud service.
- Mobile device management clarified — fully managed corporate devices, BYOD enrolled in MDM and BYOD with conditional access are all explicitly addressed.
- Sub-set scoping rules tightened — IASME pushes harder for whole-organisation scope, particularly where you want the £25k cyber-liability insurance.
If you certified before April 2024, you’ll also see the Evendine changes that brought cloud services formally into scope and introduced the strict 14-day patching rule.
Cyber Essentials renewal — the practical process
Step 1: re-walk the five controls
Use our Cyber Essentials checklist as your renewal worksheet. The most common drifts in 12 months:
- New cloud services adopted without MFA (the new AI tool, the new project tool, the new accounting integration).
- Ex-staff still in M365 / Google Workspace because off-boarding wasn’t always followed.
- A new device class (Macs, iPads) that wasn’t in scope last time.
- Patches over 14 days behind on a small subset of devices.
- A router or firewall that’s reached end of vendor support.
- Default password on a new piece of hardware (printer, meeting-room device, IoT).
Step 2: log into the IASME portal
Your IASME account holds the previous SAQ. You can clone it as the starting point for renewal. Don’t simply copy-paste — re-read every question against your current estate.
Step 3: pay the renewal fee
The renewal fee is the same as the original assessment fee:
- Micro (0-9 staff): £300 + VAT
- Small (10-49 staff): £400 + VAT
- Medium (50-249 staff): £450 + VAT
- Large (250+ staff): £500 + VAT
Cyber Essentials Plus renewal pricing depends on the certification body and device count — typically £1,500-£8,000 + VAT. See Cyber Essentials cost for the full breakdown.
Step 4: submit and wait
Standard turnaround is 3 working days for the assessor verdict. If you fail, you have a free 48-hour re-submission window — that’s why submitting 30 days before expiry matters.
Step 5: distribute the new certificate
Update the certificate everywhere it appears: your website footer, supplier portals (Crown Commercial Service, NHS DSP Toolkit, Defra, MoD DCPP), your insurance documents, your tender library. Procurement teams now actively run a cyber essentials certification check on the IASME public registry before issuing contracts — make sure your entry is current.
How to do a cyber essentials certification check / lookup
The IASME public registry lets anyone verify a UK business’s Cyber Essentials status. The cyber essentials lookup process:
- Go to the IASME website and open “NCSC Cyber Essentials Search” / “Find a certified company”.
- Enter the business name (or registration number for accuracy).
- The registry returns: certificate number, certification level (CE or CE+), issue date, expiry date and certifying body.
If you’ve just renewed but the registry still shows the old certificate, allow up to 5 working days for IASME to update — chase your assessor if it’s not live by then.
What happens if you miss your Cyber Essentials renewal
- Day 1 past expiry: certificate listed as expired on the IASME registry. You can no longer market yourself as Cyber Essentials certified or use the badge.
- Day 1 past expiry: free £25,000 cyber-liability insurance is no longer in force.
- Day 1 past expiry: you’re typically non-compliant with any contract that requires “current Cyber Essentials certification”.
- Within 30 days of expiry: some assessors offer a “late renewal” path — you submit as a renewal, not a fresh assessment. Same fee.
- More than 30 days past expiry: treated as a fresh assessment. You start again, including any tier change if your headcount has moved.
How to make the next Cyber Essentials renewal painless
The single best investment is moving from annual fire-drill to continuous compliance. A managed Cyber Essentials service runs a compliance agent on every device that:
- Continuously checks the five technical controls and flags drift the moment it appears.
- Enforces patching, EDR coverage, MFA, screen-lock and full-disk encryption automatically.
- Maintains the evidence library you’ll need for the next renewal SAQ.
- Submits and renews your assessment for you.
Connection Technologies’ managed service does exactly this — RRP from £103/month for 1-9 users, with free £25,000 cyber-liability insurance for eligible UK businesses. See the Cyber Essentials & CE+ pricing tables for tier details, or read our wider UK IT compliance guide for how renewal fits with GDPR and ISO 27001.
Get Cyber Essentials & Cyber Essentials Plus — fully managed
Connection Technologies runs Cyber Essentials and Cyber Essentials Plus for UK businesses end-to-end. Our compliance agent automates the five technical controls across every Windows, macOS, iOS and Android device — we submit, audit and renew so you stay certified without the paperwork. RRP from £103/month with free £25,000 cyber-liability insurance for eligible UK businesses.
Skip the Cyber Essentials paperwork
We handle the five controls, the questionnaire, the audit and the renewal — RRP from £103/month.
Frequently asked questions about cyber essentials renewal
Cyber Essentials and Cyber Essentials Plus certificates are valid for exactly 12 months from the date IASME issues them. There is no automatic renewal — you must complete a fresh Self-Assessment Questionnaire (or full audit for CE+) and pay the assessment fee again to maintain certified status.
Start your Cyber Essentials renewal 60-90 days before expiry. Run an internal gap analysis at Day 270, book your renewal slot at Day 300, and submit the renewal SAQ by Day 330 — that 30-day buffer means you can use the free 48-hour re-submission if you fail. For Cyber Essentials Plus, start at Day 240 because the audit itself takes 6-12 weeks.
The Cyber Essentials renewal fee is identical to the original assessment fee: £300 + VAT (micro, 0-9 staff), £400 + VAT (small, 10-49), £450 + VAT (medium, 50-249) or £500 + VAT (large, 250+). Cyber Essentials Plus renewal typically costs £1,500-£8,000 + VAT depending on device count and certification body.
Once expired, you cannot market yourself as Cyber Essentials certified, you lose the free £25,000 cyber-liability insurance, and you become non-compliant with any contract that requires “current Cyber Essentials”. Within 30 days some assessors will treat your submission as a late renewal at the same fee — beyond 30 days it’s treated as a fresh assessment.
Use the IASME public registry — search for the company name on the “Find a certified company” / “NCSC Cyber Essentials Search” page. The registry shows certificate number, level (CE or CE+), issue date, expiry date and certifying body. Procurement teams routinely run this lookup before issuing UK government contracts, so make sure your entry is current.
The April 2026 Willow standard tightens the high-severity vulnerability fix window to 5 days, accepts passwordless authentication (passkeys, biometric) alongside MFA, brings AI / LLM tools formally into scope as cloud services, clarifies mobile device management requirements and pushes harder for whole-organisation scope (which is also required for the free £25k cyber-liability insurance).
Related Reading
More from the Connection Technologies blog.