Keeping the certificate

Renewing Cyber Essentials and Cyber Essentials Plus

Both levels expire after twelve months, and renewal means passing the current assessment again, not re-issuing last year's certificate. Planned properly, renewal is a short, boring exercise. Unplanned, it is a scramble against an expiry date your customers can see.

What renewal really is

Four truths about the annual cycle

3D illustration of annual recertification

It is recertification, not renewal

There is no rubber stamp: renewing means passing the current version of the assessment again, questionnaire and, for Plus, audit included. The scheme evolves, so last year's pass does not guarantee this year's.

3D illustration of scheme changes

The scheme changes under you

Question sets and requirements are updated by the scheme over time. The controls that passed twelve months ago are re-examined against the current requirements, not the ones you certified under.

3D illustration of estate drift between renewals

Estates drift

New starters, new laptops, a server that quietly went end-of-life, MFA exceptions that crept in. Renewal failures are almost always drift, which is why we re-run the gap analysis rather than assuming last year still holds.

3D illustration of the cost of a lapsed certificate

A lapsed certificate is visible

Certificates carry dates and the scheme maintains public records. If a contract required certification, a lapse is a compliance gap your customer can see. Renewal is cheapest when it is boring and planned.

Our renewal service

Renewal as a calendar entry, not a project

We start about six weeks before expiry: a slimmed-down gap analysis catches drift and scheme changes, fixes get closed while there is still slack, the self-assessment is completed against the current question set, and for Plus clients the audit is booked inside its three month window with room to spare.

Renewal is also the natural moment to look past the scheme: what changed in your business this year that Cyber Essentials does not cover? That conversation is included, not upsold mid-audit.

The renewal timeline

  • 6 weeks out: drift check against the current scheme requirements
  • 4 weeks out: fixes closed, evidence gathered
  • 3 weeks out: self-assessment submitted
  • Before expiry: Plus audit passed, certificate continuous

Quick answers

Renewal questions, answered

Do you have to renew Cyber Essentials every year?

Yes. Certificates at both levels are valid for twelve months. Renewal means completing the current self-assessment again, and for Cyber Essentials Plus, passing the independent audit again within three months of it.

Is renewal cheaper than first certification?

The official basic assessment fee is the same each year. For Plus, the audit still has to happen in full, but a well-maintained estate needs far less readiness work, which is where the real cost sits. Our renewal pricing reflects that on the cost page.

See what it costs

What changed in the scheme for 2026?

The scheme updates its question set and guidance periodically, and assessments are always made against the current version. We track the changes as part of every renewal engagement and flag anything that affects your estate before the assessment, so the update is handled in preparation rather than discovered in the audit.

What happens if my certificate lapses?

Nothing is fined, but you are no longer certified: contracts and frameworks that require certification are no longer satisfied, and you start again with a fresh assessment when you return. If a customer requires the certificate, treat the expiry date like an MOT.

3D rocket illustration for booking a free certification discovery call

Expiry date looming?

Make this year's renewal the boring kind

Tell us your expiry date on a free 45 minute call and we will map the renewal backwards from it. No obligation, no hard sell.