Cyber Essentials is the UK Government’s baseline security certification, and from 28 April 2026 the rules are changing. If your business holds Cyber Essentials or Cyber Essentials Plus — or you are planning to certify — these updates affect you directly.
Key point: Assessments created after 28 April 2026 will use the new requirements. Fail on any of the tightened controls and you fail the whole assessment.
What is actually changing?
IASME, which manages the scheme on behalf of the NCSC, has published version 3.3 of the requirements. Three areas see the biggest changes.
1. MFA is now a hard pass-or-fail
Multi-factor authentication has been part of Cyber Essentials for a while, but enforcement was inconsistent. From April, the rule is simple: if a cloud service offers MFA — whether free, bundled, or paid — you must have it switched on. If you do not, that is an automatic fail.
This applies to every cloud service in scope, not just Microsoft 365 or Google Workspace. Think accounting software, CRM platforms, file storage, project management tools. If your team logs in with an email address and the service supports MFA, it needs to be enabled.
Passwordless methods such as passkeys and FIDO2 keys count towards MFA requirements, provided they use more than one factor (for example, possession plus a biometric). The NCSC is actively encouraging organisations to adopt passkeys as their default.
2. Patching gets a strict 14-day window
Previously, the patching requirements left some room for interpretation. The new rules remove that ambiguity: all high-risk or critical security updates must be applied within 14 days of release. This covers operating systems, firmware, applications, browser extensions — everything.
Miss the window on even one device in scope and it is an automatic fail.
Watch out: Auditors have reported cases where organisations applied patches only to the specific devices being sampled, not across the full estate. The updated guidance makes clear that patching must be consistent across all in-scope systems.
3. Cloud services can no longer be excluded
For the first time, the scheme includes a formal definition of what counts as a cloud service: any on-demand, scalable service hosted on shared infrastructure and accessed via the internet through an account. If your organisation’s data sits on a cloud platform, that platform is in scope. You cannot carve it out.
This is a significant change for businesses that previously scoped cloud services out of their assessment to simplify the process. That option is gone.
What should you do now?
You have roughly four weeks. Here is a practical checklist.
Audit your MFA coverage. List every cloud service your business uses. Check whether MFA is available and whether it is turned on. Pay particular attention to services where staff may have set up their own accounts — shadow IT is a common gap.
Review your patching process. Can you demonstrate that critical patches are applied across all devices within 14 days? If you rely on manual updates or staff doing their own, this is the time to move to a managed patching solution.
Map your cloud services. Make sure every cloud platform that stores or processes business data is included in your Cyber Essentials scope. If you have been excluding services, they need to come back in.
Check your renewal date. If your certification expires before 28 April, you can renew under the current rules. If it expires after, you will be assessed against the new requirements. Either way, preparing early avoids a last-minute scramble.
Talk to your IT provider. If you use a managed service provider, confirm they are aware of the changes and can support you through the transition. A good provider should already be in touch about this.
Why this matters beyond the certificate
Cyber Essentials is not just a badge for your website. Government contracts increasingly require it, and insurers are starting to ask about certification status when pricing cyber liability cover. More importantly, the controls it mandates — MFA, patching, access control — are the basics that stop the vast majority of common attacks.
The NCSC’s own data shows that Cyber Essentials-certified organisations are significantly less likely to make a cyber insurance claim. These are not theoretical protections.
Bottom line: The April 2026 update makes Cyber Essentials harder to pass but more meaningful to hold. If your business takes these requirements seriously, you will be genuinely better protected.
Sources
Need help preparing for the new Cyber Essentials requirements? We can review your current setup and get you ready before the deadline.
Learn more →Topics