Opinion

Why the new Cyber Essentials guidance changes everything

By
By
Jon Dedman

The National Centre for Cyber Security recently announced its updated Cyber Essentials (CE) requirements for IT infrastructure v3.3 – this is what the new Danzell question set by IASME for CE certification is now based on. 

From making multi-factor authentication (MFA) compulsory to password authentication guidance, the updates are all part of a mission to tackle evolving threats and build wider operational resilience and robustness across businesses. And one crucial update is the requirements around security patches and updates. 

Any organisation holding or pursuing CE certification will need to demonstrate that “critical” or “high risk” patches released by vendors are applied across their entire IT estate within 14 days. Otherwise, they will automatically fail. This is because security threats can become serious if updates are not applied in this two-week window. The new standard also “strongly recommends” that all released updates are implemented within this timeframe “for optimum security”. 

Yet for organisations with large networks of hundreds or thousands of endpoints, outdated applications and complex dependencies, this is a massive operational challenge. Knowing what devices need updating when and also when any configuration changes take place can be incredibly difficult. 

So, before their certification assessment, what IT teams need is a way to understand in real time whether patches have actually been applied consistently – not just pushed out to devices – and what systems have drifted away from their approved baseline. 

But how can they achieve this? And what is the wider motivation behind the new guidance?

Why the 14-day rule has come into play 

As the guidance stipulates, devices running software can have security flaws, which bad actors can discover and exploit to disrupt networks. As a result, vendors will release patches or configuration changes to target these system vulnerabilities, in the same way your phone needs updating. Failing to apply these updates within this timeframe will significantly increase security risks, while two weeks still provides enough time for companies to practically implement all of the necessary updates safely. 

The motivation behind the rule is down to the ever growing risk presented by cyber threats. Bank outages have become a frequent occurrence: just last month, Lloyds, Halifax and Bank of Scotland all suffered outages. AI of course presents a notable risk, with the World Economic Forum citing AI vulnerabilities and cyber-enabled fraud and phishing as the fastest growing cyber risks. Then there are the ongoing ransomware and cyberattacks that continue to take down large institutions. The challenge for organisations now is to ensure that their capabilities can match the new CE guidance to mitigate these risks.

Change visibility integral to CE changes 

When IT estates are vast and complex, configuration changes can easily go unnoticed and gradually drift from their intended baseline. How does this happen? Devices are continuously being modified by teams, vendors and automated tools. Vendor changes in particular lie beyond an IT team’s immediate control and can be pushed at any moment. In response, many teams will set up auto-update capabilities to ensure they stay within the 14-day rule, on the basis that staying up-to-date means risk is significantly reduced. 

This is a good idea, but it only works up until a point. What happens if the vendor then pushes out a change that breaks and teams have no oversight of it? Such changes might seem inconsequential at first, but when they stay undetected, they can lead to outages and entry points for attackers. So, when estates are continuously changing due to actions from teams both in-house and externally, ongoing change visibility, which shows any change taking place against an established baseline, is essential. 

To effectively do this and ensure retained compliance, IT teams need a central digital platform that can automatically monitor their entire infrastructure and devices on a continuous basis. Capabilities like automatic drift management, for instance, can then detect changes and provide a log of activity on systems to prevent changes going unrecorded or unauthorised. This mitigates risks like outages while providing the evidence applicants need when applying for CE certification. 

The wider updates in the requirements 

The 14-day rule is just one part in the new CE guidance designed to meet the modern threats IT teams face on a daily basis. MFA is another key requirement, and the guidance states that any administrative account that can be accessed from the internet “must always use MFA”. The British Library ransomware attack in 2023 caused major disruption to the organisation and showed the importance of MFA – a review into the incident later revealed that the absence of MFA on the domain “contributed to the attackers’ ability to enter the system via this route”. 

More recently, UK Cyber chiefs have strongly recommended that people ditch passwords in favour of passkeys, another area highlighted in the CE guidance. Passkeys are a significant step forward in security over passwords or simple PINs. However, as they're not yet supported across every application or website and are also tied to the device or browser, they can’t be truly portable. As a result, organisations will need to manage a mix of authentication methods for some time yet. 

All of these changes are designed to enhance operational resilience, a critical necessity for organisations to meet regulations like DORA, and manage evolving threats. 

Change is necessary, it just needs to be seen 

A key update in the new requirements is that the CE scope includes any data or services hosted on the cloud and any owned devices/software used by third parties. When coupled

with the 14-day rule, the need for companies to have oversight of all patches and updates across their network and the means to spot them continuously becomes incredibly apparent. 

The updated guidance isn't simply asking organisations to patch faster – it's asking them to stay in control of change. As IT environments become more dynamic through AI, cloud and automation, continuous visibility will be just as important as rapid patching. Not only is it essential for achieving CE certification, but also for building the operational resilience needed to prevent future outages and cyber incidents. 

Change is necessary to combat a range of evolving threats. But how effectively companies can see this change will ultimately contribute to how well they can defend themselves.

Written by
July 17, 2026
Written by
Jon Dedman