Heads Up: Cyber Essentials Plus (CE+) Got a Lot Less Forgiving

Cyber Essentials Plus hasn't suddenly become "impossible." It's just stopped pretending.

Leon Marks

~5 min read · May 7, 2026 (Updated: May 7, 2026) · Free: Yes

What you may or not be hearing — the stories about zero tolerance, assessors dragging entire estates into scope, organisations failing on a single missing patch — aren't entirely wrong. But they're also not quite what people think they are.

This isn't assessors going rogue. It's a scheme finally closing the gap between how companies 'say' they operate and how they actually do.

And that gap has always been doing a lot of heavy lifting.

For years, Cyber Essentials Plus sat in an awkward middle ground. It was pitched as a meaningful, technical assurance, but in practice it tolerated a fair amount of theatre. Organisations would tidy up a handful of machines, present a clean slice of their environment, and hope the assessor didn't look too closely beyond it. Most didn't need to. The scheme didn't really force them to.

So people passed. Quite a lot of them!

The April 2026 changes — often referred to as the 'Danzell' update (the latest Cyber Essentials Plus question set) — haven't so much raised the bar as removed the wiggle room underneath it. And when you remove wiggle room, things suddenly feel a lot harsher.

Take patching.

There's a lot of noise about "zero vulnerabilities," which isn't technically accurate. The scheme isn't asking for perfection across everything. What it *is* doing is drawing a hard line around known, high-risk issues and saying: if you know about it, and it's been sitting there for more than 14 days, you don't pass.

That's not a theoretical standard. It's an operational one.

Previously, "timely patching" gave organisations room to interpret, delay, or prioritise around inconvenience. Now it's measurable. If a high or critical vulnerability — typically CVSS 7 and above — is older than two weeks and still present, that's it. Assessment over.

What's caught people off guard isn't the rule itself. It's the removal of discretion. There's no longer a conversation about intent, effort, or competing priorities. The system doesn't care that patching clashed with a release cycle or a change freeze. It only cares that the risk is still there.

And that's uncomfortable, because most environments carry a bit of this debt all the time. Quietly. Invisibly. Managed, perhaps — but not eliminated.

The second pressure point is scope, and this is where the frustration tends to spike.

There's a common belief that assessors are now "forcing everything into scope." In reality, the definition of scope has just become harder to game.

If a device accesses company data and touches the internet, it's relevant. That sounds obvious when you say it plainly, but for years organisations found ways to argue around it. Thin clients, VDI setups, contractor laptops, BYOD — these all lived in grey areas that could be shaped to fit a cleaner narrative.

That narrative doesn't hold anymore.

If someone is using a home PC to access corporate systems through a virtual desktop, that endpoint is now part of the risk story. Not because the scheme has become unreasonable, but because attackers don't respect architectural boundaries. They follow access, not diagrams.

The same applies to cloud services.

There was a time when organisations could treat SaaS platforms as adjacent — important, but not strictly within the core scope of Cyber Essentials. That position has quietly collapsed. If your data lives there, it counts.

And with that comes the MFA requirement, which has been another source of friction. The rule is simple: if a service offers multi-factor authentication, you're expected to use it. For all users. Not just admins. Not just high-risk roles.

Even if it costs extra.

That last part is what tends to sting. Because it exposes a trade-off that organisations have historically been allowed to avoid. Security features that sit behind licensing tiers were often treated as optional enhancements. Now they're effectively baseline expectations.

Again, not because the scheme has become aggressive, but because the threat landscape has made the alternative hard to justify.

Where things get more nuanced is the behaviour of assessors.

There are cases where assessors do overreach. If someone is insisting that completely isolated, non-internet-connected systems must be included without any rationale, that's not aligned with the intent of the scheme.

But those cases are the exception, not the rule.

What's really changed is the burden of proof. It's no longer enough to *say* something is out of scope. You have to demonstrate it. Technically. Clearly. In a way that stands up to scrutiny.

That means proper network segregation, not just logical assumptions. It means diagrams that reflect reality, not simplified versions created for audit purposes. It means being able to explain, in concrete terms, why a system cannot interact with the rest of the environment.

Most organisations can do this. They just haven't had to before.

And that's the pattern running through all of this.

Cyber Essentials Plus hasn't introduced fundamentally new security concepts. Patch quickly. Use MFA. Understand your environment. Segment your network. These aren't cutting-edge ideas.

What's changed is enforcement.

The scheme has shifted from being something you can prepare for periodically to something you have to live with continuously. You can't "clean up for the audit" anymore because the checks are designed to catch exactly that behaviour. Fixing a sampled set of machines isn't enough if the rest of the estate is drifting.

That's why vulnerability management tooling is suddenly being talked about as a necessity rather than a nice-to-have. Not because the scheme mandates specific products, but because the operational reality of meeting a 14-day patch window across a live environment is difficult to sustain manually.

Spreadsheets and good intentions don't scale well under time pressure.

And time pressure is the bit that often gets ignored in discussions about compliance. In the real world, patching competes with outages, releases, staffing gaps, and the general messiness of running systems that can't always be restarted at will. MFA rollouts clash with user resistance and legacy integrations. Network segmentation runs into historical design decisions that nobody wants to revisit.

Cyber Essentials Plus used to allow a degree of abstraction from those realities. Now it reflects them more directly.

Which is why it feels harder.

Not because the standard is unrealistic, but because it's closer to how environments actually behave under normal conditions. And most environments, if we're honest, are not in a constant state of audit readiness.

They're in a state of managed compromise.

So no, the scheme hasn't become impossible. But it has become less forgiving of the gap between policy and practice. Less tolerant of partial fixes. Less interested in whether you *intend* to be secure.

It's asking a simpler question now.

Not "can you pass an assessment?"

But "do you operate like this all the time?"

And for a lot of organisations, that's a very different problem.

This article was developed with the assistance of AI to help refine tone and structure, but the core ideas, personal insights, and final edits are my own.

#cybersecurity #compliance #information-security #cyber-risk-management #cyber-essentials

< Go to the original

Heads Up: Cyber Essentials Plus (CE+) Got a Lot Less Forgiving

Cyber Essentials Plus hasn't suddenly become "impossible." It's just stopped pretending.

Reporting a Problem