Cyber Essentials looks like a checklist. The questions seem straightforward. Yet as a licensed Certification Body reviewing assessments every week, we see the same failures come through again and again. Not because businesses haven’t done the work, but because the questions are sharper than they look, and the 2026 changes have made some of them significantly harder to pass.

The scheme updated to version 3.3 (“Danzell”) on 27 April 2026. Several things that used to be major non-compliances, where you could still technically pass, are now automatic failures. No appeals, no partial credit.

Important: April 2026 changes

Under v3.3 Danzell, missing multi-factor authentication on any in-scope cloud service that supports it is now an automatic failure. If you're preparing for a 2026 assessment, the bar is meaningfully higher than it was in 2024 or early 2025.

Here are the five failure modes we flag most consistently, what actually goes wrong, and what to do about it.


01

Multi-factor authentication that isn't actually enforced everywhere

The questionnaire asks whether multi-factor authentication is enabled for all admin accounts and all cloud services. Most organisations answer yes. Most are partially wrong.

Service accounts, break-glass accounts, legacy authentication paths, and Conditional Access exclusions all create gaps. A single excluded user in your Conditional Access policy, left over from a "temporary fix" six months ago, is a disclosable gap. Under v3.3, if any in-scope cloud service supports multi-factor authentication and it isn't enabled, the assessment fails automatically.

Check your Conditional Access exclude lists. Check every cloud service independently, not just your Microsoft 365 tenant. Check service accounts. Check the admin account your IT provider uses to connect. If you can't verify multi-factor authentication is enforced on each one, you can't honestly answer yes.

Fix: audit Conditional Access exclude lists, enumerate every cloud service, verify multi-factor authentication state on each one before you start the assessment.
02

Cloud services missing from scope

Most organisations underestimate their cloud footprint by half. Cyber Essentials asks about all cloud services in scope, not just the obvious ones. That means Slack, Notion, GitHub, Figma, Asana, Dropbox, any HR platform, any payroll system, any project management tool that stores business data.

Each service in scope needs its own admin access controls, multi-factor authentication enforcement, and account lifecycle checks examined. If you can't list every cloud service your business uses from memory, you're likely already missing some from your answer.

Under v3.3, scope is also broader for personal devices. If a staff member's personal phone can access work email or any in-scope cloud service, that device falls within scope whether you've formally approved bring-your-own-device or not.

Fix: audit your cloud services before the assessment. SaaS tools, collaboration platforms, storage, dev tools. If it stores or processes work data, it's in scope.
03

Admin accounts used for day-to-day work

One of the most consistent automatic failures we see. Cyber Essentials requires that accounts with administrative privileges are used only for administration. They should be separate accounts from the ones staff use daily, they should be protected with multi-factor authentication, and they shouldn't be used to browse the web, read email, or access standard business applications.

The failure pattern is almost always the same: an IT administrator who has one account with global admin rights in Microsoft 365, and uses it for everything. It's convenient. It's also a direct route from phishing email to full tenant compromise, and it's an automatic failure on the assessment.

This applies to cloud admin accounts, on-premise server admin accounts, network device access, and any account in your environment with elevated privileges.

Fix: create dedicated admin accounts, separate from day-to-day accounts. Use them only for administration. Multi-factor authentication mandatory on every one.
04

Patching claimed but not measured

Cyber Essentials requires that high and critical vulnerabilities are patched within 14 days of release, and that only vendor-supported software is in use. Most businesses believe they meet this standard. Fewer can prove it.

"We patch promptly" is not the same as having the data to demonstrate you patch within 14 days. If you can't run a report right now showing the time between patch release and patch application across your estate over the last 90 days, you cannot honestly answer this question.

The unsupported software trap is increasingly common: Windows 10 reached end of support in October 2025. Any business still running it on in-scope devices cannot pass Cyber Essentials. Same applies to older versions of Office, unpatched server operating systems, or any application that's past its vendor-stated end-of-life date.

Fix: verify you can produce patch compliance reports before the assessment. Confirm every device runs supported software. Windows 10 must be upgraded or removed.
05

Boundary devices with default credentials

Firewalls and routers with factory-default admin passwords are an automatic failure. This catches more businesses than you'd expect, specifically the forgotten devices: the router under the desk in the spare office, the guest WiFi access point running on its original password, the smart TV in the meeting room, the broadband router left behind after an office move.

The rule is simple: if it has an IP address and sits on the boundary between your network and the internet, it's in scope. Every one of those devices needs a changed admin password, updated firmware (within 14 days of available patches), and a firewall configured to block unsolicited inbound connections by default.

Don't answer this section until you've physically or remotely verified every boundary device in your environment. "I think they're all fine" is not a compliant answer.

Fix: map every internet-facing device. Change all default credentials. Verify firmware is current. Confirm inbound-block-by-default is set on all of them.

The honest truth about first-time pass rates

Most first-attempt failures aren’t because businesses haven’t implemented the controls. They’re because the controls are partially in place, and the assessment questions require you to confirm they’re fully in place. Partial implementation disclosed honestly is a resubmission. Partial implementation answered as full compliance is a failed assessment and, if discovered, something worse.

The key insight

Cyber Essentials rewards completeness, not perfection. It's better to scope narrowly and pass cleanly than to scope broadly and leave gaps you haven't addressed. But scope it too narrowly and you'll fail for excluding things that should be included. Getting the scope right is where most first-time failures actually begin.

Self-check before you book

Before you start the formal assessment, work through these yourself:

  • Enumerate every cloud service in use across the business, not just the obvious ones
  • Check every Conditional Access exclude list and verify justification for each exception
  • Verify multi-factor authentication state on every in-scope cloud service independently
  • Confirm admin accounts are separate from day-to-day accounts throughout
  • Run a patch compliance report covering the last 90 days
  • Confirm no end-of-life software on any in-scope device (Windows 10 included)
  • Map every internet-facing boundary device and verify credentials and firmware
  • Confirm personal devices accessing work systems are either compliant or out of scope with justification

If you’re working towards certification and want to talk through scope before booking the assessment, get in touch. As a licensed Certification Body, we can help you confirm what’s in scope and flag obvious issues so the assessment itself runs cleanly.