What happens if your Cyber Essentials certificate lapses

What happens if your Cyber Essentials certificate lapses

Cyber Essentials certificates are valid for exactly 12 months from the assessment date. On day 366, you are uncertified. There is no grace period, no soft expiry, no "recently lapsed" status. This catches a lot of organisations out - especially ones whose renewal fell off a project manager's roadmap during the year.

This guide covers what actually happens when a certificate lapses, how to recover fast, and how to set up a renewal cadence that does not miss the window.

What happens on the lapse date

At midnight on the certificate's anniversary, three things change:

1. You are removed from the NCSC register. Your organisation no longer appears in the IASME-maintained list of certified entities. Anyone checking your certificate will see an expired record.

2. You are no longer certified for contract purposes. If a contract requires current Cyber Essentials certification (including PPN 014/21 for UK central government), you are out of compliance from the lapse date forward.

3. Your certificate file still exists. The PDF you were issued does not get revoked - it still shows the dates and the logo. But it is historical evidence. It does not satisfy "current certification".

Who finds out (and when)

Two groups care about the lapse:

Customers doing due diligence. Large customers run quarterly checks on supplier certifications. If they check the NCSC register two weeks after your lapse, you are flagged as non-compliant. Depending on the contract, this triggers a remediation notice, a supplier review, or in some cases a stop-work event.

Procurement frameworks. Public-sector frameworks (Crown Commercial Service, NHS Shared Business Services, etc.) check certification at bid and at contract renewal. A lapsed certificate means you cannot renew within the framework until you re-certify.

The re-certification process

Re-certification is not different from first-time certification. You complete a fresh self-assessment against the current scheme version, submit it, and the certification body reviews it. If you are re-certifying within 12 months of the prior certification, the assessor has your prior submission for reference - they can see what you had and whether it has changed.

For most organisations, re-certification is faster than first-time certification because the controls are already in place and the team knows the questionnaire. Fig re-certifications typically complete within 6 hours of submission for compliant applications.

The cost of lapse

Three costs to consider:

1. The re-certification fee. Same as the normal CE fee - £299.99–£549.99 + VAT depending on organisation size. There is no penalty charge for re-certifying after a lapse.

2. The gap in certification. Even if you re-certify the day after lapse, there is a documented lapse on your record. Some customers consider this a material breach; most accept it if you re-certify within 30 days.

3. The contract risk. If a specific customer contract requires continuous certification, a lapse may trigger contractual remedies. Read the contract. For PPN 014/21 central-government contracts, re-certification within a reasonable window is usually acceptable; some frameworks require stricter continuity.

v3.3 re-certification in 2026

If your original certificate was issued under CE v3.2 or earlier, your re-certification in 2026 will be against v3.3. Expect three things to be different from your prior submission:

• Mandatory MFA on every user account accessing organisational data.
• Stricter BYOD scoping - home routers in scope for remote workers.
• Explicit cloud service obligations - IaaS, PaaS, SaaS configurations must be documented.

Do not assume the prior submission will pass as-is. Re-read the current requirements before re-submitting.

The renewal cadence that works

The reason certificates lapse is almost always the same: the person who drove the original certification left the business, or was reassigned, or forgot. There is no calendar event reminding the organisation.

Fig (and most certification bodies) send renewal emails 90, 60, and 30 days before expiry. Put every renewal email into a shared calendar or ticketing system - not one person's inbox.

A good cadence:

• 60 days before expiry: book the renewal slot. Start reviewing the current questionnaire against v3.3.
• 30 days before expiry: run the readiness checker against the current requirements.
• 14 days before expiry: submit the renewal. At Fig, with 6-hour turnaround, you will be certified within a business day, giving you a full 13-day buffer.
• Day 0: certificate renewed, NCSC register updated.

Aim for a 14-day buffer, not a day-of submission. The 14 days protect you against sick-leave, bank holidays, and last-minute scope changes.

If you have already lapsed

If you are reading this because your certificate lapsed yesterday or last week:

1. Tell your customers proactively. A self-reported "our certificate lapsed, we are re-certifying today" is a much better look than "we got caught in a due diligence check".

2. Submit a re-certification assessment. With Fig's 6-hour turnaround, you can be re-certified the same business day.

3. Log the lapse internally. Record the date range of the gap and the reason. Future DDQs may ask about continuity.

4. Fix the calendar. Put the next renewal into a shared cadence, not a personal calendar.

Bottom line

A lapsed Cyber Essentials certificate is not a minor admin issue. It removes you from the NCSC register, may trigger contract remedies, and affects procurement. The good news is that re-certification is fast, cheap, and handled by the same body that issued the original.

Do not let the certificate lapse in the first place. If you are close to expiry now, book the renewal today.

Start renewal (6-hour turnaround) | See re-certification pricing | Speak to our team