Cyber Essentials Automatic-Fail Conditions 2026
Last updated: 28 March 2026
Under Cyber Essentials Danzell v3.3, certain answers trigger an automatic certification failure. CrownSync tracks these conditions in real time and flags them immediately in your action plan.
The auto-fail conditions listed here are based on IASME's published Danzell v3.3 marking guidance and CrownSync's implementation of the official question set. Always verify current requirements at iasme.co.uk before your assessment.
MFA not enabled on cloud services — A7.16 and A7.17
If any cloud service in scope offers multi-factor authentication and you have not enabled it, your assessment fails automatically. A7.16 covers administrator accounts; A7.17 covers all user accounts. Both carry automatic-fail status. See our MFA requirements 2026 guide for full details on what counts as MFA and how to enable it.
Common services where MFA must be enabled include Microsoft 365, Google Workspace, GitHub, Slack, Salesforce, Xero, QuickBooks Online, LinkedIn (business pages), and any other cloud platform that offers MFA — even if it requires a paid plan to access.
How to fix
Audit every cloud service your organisation uses. Enable MFA for all users on every service that supports it. Where a service offers MFA only on a higher-tier plan, upgrade to that plan or remove the service from your scope. Document which MFA method each service uses.
Critical patches not applied within 14 days — A6.4
A6.4 requires that high-risk or critical security updates for operating systems and firmware are applied within 14 days of release. Failing to meet this window triggers an automatic failure. This applies to all devices in scope including desktops, laptops, servers, routers, and firewalls. Read our 14-day patching guide for a step-by-step approach.
How to fix
Enable automatic updates on all operating systems where possible. For firmware updates that require manual intervention, establish a fortnightly review schedule. Use a patch management tool or spreadsheet to track update status across all devices. Ensure someone is responsible for checking firmware updates on routers, firewalls, and other network equipment.
Critical patches not applied within 14 days — A6.5
A6.5 extends the 14-day patching requirement to all application software and cloud services. This includes web browsers, email clients, office suites, PDF readers, and any third-party software installed on in-scope devices. Cloud services must also be kept on supported versions where the user controls the update.
How to fix
Enable automatic updates for all applications. For software that does not support automatic updates, check for new versions at least fortnightly. Remove or replace any software that the vendor no longer patches. Maintain an inventory of all installed software to ensure nothing is missed.
Unsupported or unlicensed software in scope — A6.3
Any software that has reached end of life and no longer receives security updates must be removed from scope. The most prominent example is Windows 10, which reached end of life on 14 October 2025. Machines running Windows 10 without an Extended Security Update (ESU) agreement cannot be in scope.
How to fix
Upgrade all devices to a supported operating system. If immediate upgrade is not possible, purchase an Extended Security Update agreement from the vendor or remove the device from your assessment scope. Audit all installed software for end-of-life status and replace anything unsupported.
No firewall at network boundary — A4.1
Every network boundary must be protected by a correctly configured firewall. This includes your office network, any remote sites, and home networks where employees work. If any in-scope device connects to the internet without firewall protection, the assessment fails.
How to fix
Ensure a hardware or software firewall is in place at every network boundary. For remote workers, confirm that their router's firewall is enabled and that host-based firewalls are active on their devices.
Default passwords not changed — A4.2 and A5.3
All default or vendor-supplied passwords must be changed before a device or service is put into use. This includes router admin passwords, default Wi-Fi passwords, and any pre-set credentials on software or hardware. Retaining default passwords is an automatic failure.
How to fix
Audit all network equipment, devices, and services for default credentials. Change every default password to a unique, strong password. Document the process to ensure new equipment is configured before deployment.
Shared accounts in use — A7.2
Every user must have their own individual account. Shared accounts — where multiple people use the same username and password — prevent proper access control and audit trails. Using shared accounts triggers an automatic failure.
How to fix
Create individual accounts for every user on every system. Where shared accounts exist for operational reasons (for example, a shared reception login), replace them with individual accounts that have appropriate permissions.
How CrownSync tracks auto-fail conditions
CrownSync flags every automatic-fail condition with a red AUTO FAIL badge as you complete the assessment. If your answer triggers a failure condition, you see the warning immediately alongside guidance on how to resolve it. The PDF report includes a dedicated auto-fail watchlist so your board and IT team can prioritise these items before submission.
Related guides
Start your Cyber Essentials preparation today
CrownSync CE Readiness walks your team through the official Danzell v3.3 question set, identifies gaps, and helps you get board sign-off — completely free during our launch period.
Get started freeNo credit card required. Full access to all features.