Keeping the certificate
Renewing Cyber Essentials and Cyber Essentials Plus
Both levels expire after twelve months, and renewal means passing the current assessment again, not re-issuing last year's certificate. Planned properly, renewal is a short, boring exercise. Unplanned, it is a scramble against an expiry date your customers can see.
What renewal really is
Four truths about the annual cycle
It is recertification, not renewal
There is no rubber stamp: renewing means passing the current version of the assessment again, questionnaire and, for Plus, audit included. The scheme evolves, so last year's pass does not guarantee this year's.
The scheme changes under you
Question sets and requirements are updated by the scheme over time. The controls that passed twelve months ago are re-examined against the current requirements, not the ones you certified under.
Estates drift
New starters, new laptops, a server that quietly went end-of-life, MFA exceptions that crept in. Renewal failures are almost always drift, which is why we re-run the gap analysis rather than assuming last year still holds.
A lapsed certificate is visible
Certificates carry dates and the scheme maintains public records. If a contract required certification, a lapse is a compliance gap your customer can see. Renewal is cheapest when it is boring and planned.
Our renewal service
Renewal as a calendar entry, not a project
We start about six weeks before expiry: a slimmed-down gap analysis catches drift and scheme changes, fixes get closed while there is still slack, the self-assessment is completed against the current question set, and for Plus clients the audit is booked inside its three month window with room to spare.
Renewal is also the natural moment to look past the scheme: what changed in your business this year that Cyber Essentials does not cover? That conversation is included, not upsold mid-audit.
The renewal timeline
- 6 weeks out: drift check against the current scheme requirements
- 4 weeks out: fixes closed, evidence gathered
- 3 weeks out: self-assessment submitted
- Before expiry: Plus audit passed, certificate continuous
Quick answers
Renewal questions, answered
Do you have to renew Cyber Essentials every year?
Yes. Certificates at both levels are valid for twelve months. Renewal means completing the current self-assessment again, and for Cyber Essentials Plus, passing the independent audit again within three months of it.
Is renewal cheaper than first certification?
The official basic assessment fee is the same each year. For Plus, the audit still has to happen in full, but a well-maintained estate needs far less readiness work, which is where the real cost sits. Our renewal pricing reflects that on the cost page.
What changed in the scheme for 2026?
The scheme updates its question set and guidance periodically, and assessments are always made against the current version. We track the changes as part of every renewal engagement and flag anything that affects your estate before the assessment, so the update is handled in preparation rather than discovered in the audit.
What happens if my certificate lapses?
Nothing is fined, but you are no longer certified: contracts and frameworks that require certification are no longer satisfied, and you start again with a fresh assessment when you return. If a customer requires the certificate, treat the expiry date like an MOT.
Expiry date looming?
Make this year's renewal the boring kind
Tell us your expiry date on a free 45 minute call and we will map the renewal backwards from it. No obligation, no hard sell.