14 days to patch.
And prove it.

Cyber Essentials requires critical patches applied within 14 calendar days across your entire estate. Most Azure teams are patching. Far fewer can demonstrate it clearly, consistently, and without a last-minute scramble.

The requirement, plainly stated

What CE actually requires for patching

Cyber Essentials is a UK government-backed certification scheme covering five technical controls. The fifth — Security Update Management — is consistently the leading cause of assessment failure. The requirement itself is not complicated. Meeting it in practice, across a real Azure estate, with evidence to back it up, is where most teams run into difficulty.

Security Update Management — the core requirement
All software must be licensed, supported, and have high-risk or critical security patches applied within 14 calendar days of release.

This applies to operating systems, applications, firmware on network devices, and browser plugins — across every device within the scope of your certification. It is 14 calendar days, not business days. And the clock starts from the date the vendor releases the patch, not from the date you become aware of it.

For Windows servers, the clock starts on Patch Tuesday

Microsoft releases security patches on the second Tuesday of each month. From that date, you have 14 calendar days to apply any high-risk or critical updates across your entire in-scope estate. If your assessment falls on day 15, and any device is missing a critical patch from that cycle, you fail.

What changed in April 2026

The rules just got significantly stricter

The April 2026 update to Cyber Essentials — version 3.3, known as the Danzell scheme — introduced automatic failure conditions for patching. Under the previous scheme, a patching non-compliance was a major finding that could still allow certification with up to two strikes. That loophole is now closed.

Automatic failure

One missed critical patch = instant fail

If an assessor finds even a single device in their sample missing a critical or high-risk update older than 14 days, the assessment fails automatically. No partial credit, no negotiation.

Double sampling

Failing the first sample triggers a second

If the first device sample fails, the assessor takes a second random sample from the rest of the estate. If that also fails, the assessment fails entirely — and any existing CE certificate can be revoked.

Whole estate, not just sampled devices

Patches must be applied consistently everywhere

Recent audits caught organisations patching only the devices likely to be sampled. The 2026 rules specifically address this — assessors now verify consistent patching across the entire scope, not just the sample.

Cloud is now in scope

Azure VMs cannot be excluded

From April 2026, cloud services cannot be carved out of your CE scope. If your organisation runs servers on Azure, those servers are in scope and must meet the same 14-day patching requirement.

The practical effect is that patching is no longer something you can tighten up in the weeks before an assessment. The requirement must be met continuously — and the evidence must exist to prove it was met at the time of assessment, not assembled retrospectively.

Where Azure teams struggle

The gap between patching and proving it

Most Azure teams running Azure Update Manager are patching reasonably well. The 14-day window is achievable if you have a structured monthly process aligned to Patch Tuesday. The problem is not usually the patching itself — it is demonstrating that it happened, when it happened, across every device in scope, in a form the assessor can verify.

When an assessor asks for patch compliance evidence, here is the difference between what most teams can produce and what a well-structured process produces:

Without a structured process
  • AUM portal shows current state only — no historical record of when patches were applied
  • Compliance report must have been manually exported at exactly the right time or it no longer exists
  • Cross-subscription compliance requires manual portal navigation and compilation
  • No timestamped record of which devices were compliant, and when
  • Answering "were you compliant within 14 days of Patch Tuesday?" requires reconstructing from Azure activity logs under pressure
  • Patching across multiple tenants or subscriptions has no consolidated audit trail
With OPUS
  • Compliance snapshot captured automatically after every patch cycle — no manual export required
  • Historical compliance for any previous month immediately available on demand
  • Single consolidated view across every subscription and tenant
  • Timestamped operation history showing exactly when patches ran and which devices were affected
  • PDF and Excel export for any time period — assessor-ready in 30 seconds
  • Activity audit log per tenant per month — a complete operational record, not a reconstruction
How OPUS maps to CE

Built around the same 14-day window

OPUS was not built as a CE compliance tool. It was built by an engineer who ran enterprise patch cycles at scale and needed a structured, governed process that left a proper audit trail. The alignment with Cyber Essentials is a natural result of that — if your patching process is structured correctly, the CE evidence exists as a by-product. You are not doing extra work for the auditor.

CE requirement
How OPUS addresses it
The requirementCritical and high-risk patches applied within 14 calendar days of release across the entire in-scope estate.
Guided workflow + Patch Tuesday alignmentOPUS structures the monthly patch cycle around Patch Tuesday. The assessment, curation, and deployment phases are designed to complete within the 14-day window as a matter of process — not as a last-minute sprint before assessment day.
Whole-estate consistencyPatches must be applied consistently across all in-scope devices, not just the ones likely to be sampled.
Cross-subscription managementOPUS manages every device across every subscription and tenant from a single interface. No device is managed separately or overlooked. The Device Tag Audit surfaces any device not covered by a maintenance configuration before the cycle runs.
Documentation and evidenceAssessors may request records of when patches were released, when they were deployed, and the current patch status of all in-scope devices.
Automatic compliance snapshots + audit logOPUS captures and retains a timestamped compliance snapshot after every patch cycle. The activity audit log records every mutating operation per tenant, per month. PDF and Excel exports are available on demand — the record is always there whether you planned for an audit or not.
Risk-based prioritisationHigh-risk and critical patches — CVSS 7.0 or above — must be applied within the 14-day window. Lower severity patches have more flexibility.
CVE severity scoringThe OPUS compliance dashboard scores non-compliant devices by CVE severity using Microsoft's security data. Critical and high-risk gaps are immediately visible and distinguishable from lower-severity issues — the same risk framework CE uses.
Exemptions and exceptionsDevices that cannot be patched must have a documented justification and, where appropriate, network isolation.
Device Exemptions with audit trailExemptions are logged with a reason, a duration, and full write-back to Azure tags. Every active and historical exemption is retained — demonstrating that unpatched devices are a documented, managed exception rather than an oversight.
Ongoing compliance — not just at assessment timeThe 2026 update requires that certified controls are maintained throughout the certification period, not just on the day of assessment.
Autonomous ModeOPUS can run the full patch cycle automatically every month — assessment, deployment, compliance recording — without manual intervention. The process runs whether someone remembers to trigger it or not. Compliance does not drift between assessment cycles.
The renewal problem

Passing once is easy. Staying compliant is the hard part.

Assessor data consistently shows the same pattern: organisations pass their initial CE assessment with patching well under control, and then fail the renewal 12 months later. Not because anything fundamentally changed, but because patching discipline drifted — quietly, gradually, over the course of a year.

Month 1
CE assessment passed. Patching process working well, all devices within the 14-day window.
Month 3
Patch cycle runs as normal. Compliance maintained.
Month 5
A problematic patch causes issues. Automatic updates paused temporarily on several servers while investigation runs. Someone forgets to re-enable them.
Month 7
The team is busy with a large project. The manual patch process runs late. A handful of devices miss the 14-day window. No one notices.
Month 9
Staff change. The new person inherits the patching process but doesn't know the full sequence. Some steps are skipped.
Month 12
CE renewal assessment. Multiple devices are 60–90 days behind on critical patches. Automatic failure under Danzell. Existing certificate revoked.

None of the steps above are unusual. They happen in real organisations every year. The pattern is not negligence — it is the natural result of a manual process that depends on consistent human attention over a 12-month period. OPUS's Autonomous Mode removes that dependency. The patch cycle runs every month because the system runs it, not because someone remembered to.

For MSPs and multi-tenant environments

One client is manageable. Ten is a different problem.

The 2026 Danzell update introduced an expectation that each legal entity within a group may require its own CE certificate. For MSPs managing multiple client environments, this means CE compliance is not a one-time achievement — it is a continuous operational requirement across every client, every month.

What this means in practice for MSPs

Each client environment needs a demonstrable, auditable patching process that can produce compliance evidence on demand. Manually managing this across ten client tenants — separate portal sessions, separate compliance exports, separate audit trails — multiplies the effort by ten and creates ten separate points of failure.

OPUS manages unlimited tenants from a single interface. Each tenant has its own isolated compliance history, its own activity audit log, and its own ITSM integration if required. Producing CE-ready patch compliance evidence for any client, for any previous month, is the same 30-second export regardless of how many clients you manage.

The governed workflow runs identically across every tenant. The process scales with your client base — the work doesn't.

Run your patch cycle properly. The CE evidence follows.

OPUS structures your Azure patching process around Patch Tuesday, captures compliance history automatically, and produces the audit-ready evidence your assessor expects — without any additional effort on your part. 90-day free trial, no device cap, no payment details required.

Start Free Trial

90-day free trial. No payment details required.