From 27 April 2026, Cyber Essentials gets sharper teeth. The new Danzell question set — replacing Willow — turns the security update management rules into automatic-fail questions. Miss a critical fix outside the 14-day window, and the assessment fails — automatically. For small and medium businesses across Brighton, Sussex and the rest of the UK, this raises the bar from “we run Windows Update” to genuine, ongoing vulnerability management of the entire digital infrastructure.
Here’s what’s changing, why patching on its own no longer cuts it, and what we’d suggest doing about it.
What is Cyber Essentials, and what’s changing?
Cyber Essentials is the UK government’s cyber security baseline, run by the IASME Consortium for the National Cyber Security Centre (NCSC). The government’s cyber essentials scheme is designed to safeguard organisations against the most common cyber threats — phishing, malware, brute-force cyber attacks, and the kind of opportunistic exploit that hits anything left unpatched on the internet. It’s both the floor for sensible security measures and an increasingly recognised entry point into wider cybersecurity standards for UK supply chains.
From April 2026, two new questions become automatic fails:
- A6.4: all high risk or critical security updates for operating systems and router or firewall firmware must be installed within 14 days of release.
- A6.5: the same rule applies — patched within 14 days — to applications and any associated files and extensions.
“Patching” now also explicitly covers registry edits, configuration changes, scripts and any other vendor-recommended remediation. Multi-factor authentication (MFA) becomes mandatory on every cloud service that offers it, and any cloud platform handling business data is firmly in scope. No exemptions.
What is a vulnerability — and why does this matter?
A vulnerability is a weakness in software, firmware or configuration that a hacker or other attacker can use to break in, steal data, or run code on a system. Each one published gets a Common Vulnerability Scoring System (CVSS) score from 0 to 10. Anything 7.0 and above is “high” or “critical” — these are the vulnerabilities that have been discovered and are most likely to be exploited by cyber criminals within days of disclosure. Systems vulnerable to known security issues are the cause of most data breaches we see in the wild, and many reported breaches still start with applications and software that contain vulnerabilities a vendor had already issued a fix for.
The 14-day clock starts when the vendor releases the update — not when you spot it. That’s a tight window if you find out about new fixes manually.
Patching vs vulnerability management
This is where a lot of organisations get caught out. Patch management is the routine work: scheduled software updates rolled out through tools like Windows Update, your RMM, or a centralised app catalogue. Useful, necessary — but limited. It assumes you already know what’s installed everywhere, and it doesn’t always reach third-party applications, browser extensions, or kit that drifts off the schedule.
Vulnerability management is broader. It actively scans every laptop, desktop and server for known security issues, scores each finding by severity, prioritises the high risk ones, and tracks them through to remediation. It also looks at your external attack surface and gives you the evidence trail to prove updates were applied within 14 days — exactly the cyber essentials requirement.
| Patching | Vulnerability management |
|---|---|
| Scheduled rollout of known software updates | Active discovery of weaknesses, scored and prioritised |
| Assumes you already know what’s installed | Confirms what’s installed and flags what’s missing |
| OS and headline third-party apps | OS, all applications, firmware and external services |
| Limited evidence — “we ran the updates” | Full audit trail — scan history, severity scores, dates fixed |
| Does the routine | Proves the routine worked, and fills the gaps |
You need both. Routine patching does the steady work; effective vulnerability management proves the estate is actually clean and catches what the routine misses — including older devices and software no longer supported by the vendor.
What is a vulnerability scan?
It’s an automated check of your devices and software against a constantly updated database of known CVEs. A good scanner runs continuously on each endpoint, reports back to a dashboard, and flags anything unpatched. It’s how you confirm — rather than assume — that your estate is up-to-date.
What’s new in Cyber Essentials Plus
Cyber Essentials Plus, the hands-on audit version, gets the bigger shake-up in the certification process. Until now, assessors tested a sample of devices. If something failed, you remediated those devices, retested the same sample, and passed. From April 2026 that loophole closes.
| Before April 2026 | From April 2026 |
|---|---|
| Assessor tests a random sample of devices | Assessor tests a random sample of devices |
| On failure, remediate the sample and retest the same devices | On failure, retest the original sample plus a brand-new random sample |
| Possible to pass by patching only the tested devices | Whole estate must be clean — selective patching fails |
| Self-assessment answers could be quietly amended after testing | Answers locked after testing; a second failure revokes the underlying certificate |
If the first sample turns up any high or critical vulnerability older than 14 days, the assessor returns and tests the original devices plus a brand-new random sample. Fail twice and your certificate — including the underlying self-assessment — is revoked. You can’t edit your answers after testing either.
Translation: under the new retesting rules, selective patching is over. Whatever you do, you have to do across the whole estate, all year. A penetration test isn’t required to achieve cyber essentials, but a reliable way to find, prioritise and evidence high-risk vulnerabilities effectively is.
How we help
For our managed clients, this is what our vulnerability management service does, day-to-day:
- Continuous scanning on every desktop, laptop and server we manage
- Severity scoring on every finding, with everything scoring 7.0 and above prioritised
- Auto-patching where it’s safe; where it isn’t, we remediate manually through change control
- A 14-day SLA on high risk and critical fixes — set deliberately to match the new rule
- External attack surface checks alongside the internal scan
- An exception register for anything that genuinely can’t be patched — for example, a line-of-business application running on legacy software — with a documented mitigation and owner
- An evidence pack ready for certification renewal and for cyber insurers
Network firmware on firewalls and routers sits under our firewall service rather than this one, but together they cover what A6.4 and A6.5 require. We’d rather be honest about that than pretend one product does everything.
Final thought
If you’re new to the scheme, or you certify each year and aren’t sure you’d survive the April 2026 changes, this is a good moment to look properly. The new rules reward ongoing compliance and quietly penalise organisations still running on goodwill and a quarterly patch cycle.
Not sure whether you’d pass under the April 2026 rules? We’ll walk through your patching, vulnerability management and Cyber Essentials readiness with you, then tell you honestly what needs fixing before renewal. No hard sell — just a clear view of where you stand. We’re a Brighton-based IT and cyber security team working with small and medium businesses across Sussex and beyond.
