Cyber Essentials 14-Day Patching Requirement 2026

What the requirement covers

Two questions carry automatic-fail status under Danzell v3.3:

• A6.4 — covers operating systems and firmware. All high-risk or critical patches must be applied within 14 days of release.
• A6.5 — covers all application software and cloud services. The same 14-day window applies.

Both are tracked by CrownSync as AUTO_FAIL questions. A “No” answer to either results in automatic assessment failure.

What counts as high-risk or critical

A security update is considered high-risk or critical if either of the following conditions is met:

• Vendor classification — the vendor describes the update as critical or high risk in its own advisory or release notes.
• CVSS score — the vulnerability addressed by the update has a CVSS v3 base score of 7.0 or higher.

If either condition is met, the 14-day clock starts from the date the update is released by the vendor.

What is in scope

The 14-day patching requirement applies to every device and service within your Cyber Essentials scope:

• Operating systems — Windows, macOS, and Linux on all in-scope desktops, laptops, and servers
• Mobile devices — iOS and Android on any in-scope phones and tablets
• Firmware — router and firewall firmware, including any network appliances at your boundary
• Application software — browsers, email clients, office suites, and any other software installed on in-scope devices
• Cloud services — SaaS platforms such as Microsoft 365, Google Workspace, and any other cloud service in scope

How to meet the requirement

The simplest approach is to enable automatic updates wherever the option is available. For operating systems, browsers, and most cloud services, automatic updates ensure patches are applied well within the 14-day window without manual intervention.

If your organisation uses managed IT or a third-party provider, you must ensure that their patching process delivers 14-day compliance and that you retain documentation to evidence this. Your IT provider's internal SLA does not override the Cyber Essentials requirement — if patches are applied after 14 days, the assessment fails regardless of who is responsible.

Keep records of patch deployment dates. Assessors may request evidence that critical updates were applied within the required timeframe, particularly for devices managed outside of automatic update mechanisms.

Common mistakes

• Patching servers but not endpoints — the requirement applies to every in-scope device, including employee laptops and desktops, not just servers.
• Assuming the IT provider handles it — you are responsible for evidencing compliance regardless of whether you manage IT internally or outsource it. Check that your provider delivers within 14 days and can prove it.
• Forgetting firmware updates — routers and firewalls often have firmware updates that are overlooked. These are covered by A6.4 and must be patched within 14 days.
• Running unsupported software — software that no longer receives security updates cannot meet the 14-day requirement by definition. This is a separate automatic-fail condition under A6.3.

Unsupported software

Question A6.3 is a separate automatic-fail condition that requires all software in scope to be within its vendor's supported lifecycle. If software is no longer receiving security updates from its vendor, it cannot be used on in-scope devices.

The most common example is Windows 10, which reached end of life in October 2025. Organisations still running Windows 10 on in-scope devices will fail at A6.3 unless they have purchased Extended Security Updates (ESU) from Microsoft, which extends support with critical patches.

Check all operating systems, browsers, and application software on in-scope devices against vendor lifecycle pages before starting your assessment.

Related guides