Changes to Cyber Essentials 2026

The NCSC and IASME have just announced significant updates to the Cyber Essentials scheme, set to take effect on April 27, 2026. These changes represent some of the most substantial modifications to the certification framework in recent years, driven by findings from breach investigations and audit insights.

While the five core controls remain unchanged, organisations seeking or maintaining Cyber Essentials certification need to understand these new requirements to ensure continued compliance.

The Critical Auto-Fail Requirements

Multi-Factor Authentication (MFA) Now Mandatory

Previously announced in November 2025, MFA implementation has moved from best practice to an absolute requirement. From April 27, 2026:

• All cloud services must have MFA enabled where the functionality is available
• Failure to implement MFA will result in automatic assessment failure
• No exceptions will be granted if the service provider offers MFA capability

This change reflects the reality that compromised credentials remain one of the most common attack vectors. With MFA widely available across cloud platforms, there's no longer a justification for organisations to operate without this essential security layer.

14-Day Patching Window Becomes Mandatory

Perhaps the most significant new change introduces strict timelines for security updates. Questions A6.4 and A6.5 are now auto-fail criteria, meaning organisations must:

• Install high-risk or critical security updates within 14 days of release
• Apply updates across operating systems, router and firewall firmware, and applications
• Maintain evidence of compliance with these timeframes

This requirement acknowledges that delayed patching is consistently identified in breach investigations. Attackers routinely exploit known vulnerabilities, often within days of public disclosure. The 14-day window represents a balance between operational practicality and security necessity.

Enhanced Scope Definition and Transparency

Organisations will face more rigorous requirements around defining their certification scope:

Detailed Scope Descriptions

• No word limit on scope descriptions
• Scope details will be visible on the digital certification platform
• All legal entities within scope must be detailed in a new mandatory question

Scope Exclusions Must Be Justified

• Any areas excluded from scope must be explicitly documented
• Organisations must provide reasons for exclusions
• While exclusion details won't be public, they'll be available to assessors and certification bodies

Individual Entity Certificates

For organisations with multiple legal entities, individual certificates will be available for each entity within the larger scope, providing clearer accountability and transparency.

This increased transparency addresses a longstanding issue where scope ambiguity sometimes allowed organisations to gain certification while excluding significant portions of their IT infrastructure.

Cyber Essentials Plus: Stricter Verification

The CE+ assessment process is being strengthened to ensure update management isn't just performed on tested devices:

Extended Update Verification

• Assessors will re-test devices that were missing updates (existing requirement)
• Assessors will also test a new random sample to verify updates have been applied organisation-wide
• This prevents organisations from only updating devices likely to be tested

No Post-Testing Adjustments

• Organisations cannot modify their VSA responses after CE+ testing begins
• This ensures the assessment reflects the actual state of security controls, not post-discovery corrections

What This Means for Your Organisation

If You're Planning Certification

Start implementing these requirements now, even though they don't take effect until April 27, 2026:

1. Audit all cloud services and enable MFA where available
2. Review your patch management processes to ensure critical updates can be deployed within 14 days
3. Document your scope thoroughly, including all legal entities and any exclusions with justifications
4. Ensure updates are applied consistently across your entire estate, not just representative samples

If You Hold Current Certification

Your current certificate remains valid until renewal, but:

• Plan for the stricter requirements well before your renewal date
• Consider conducting an internal gap analysis against the new criteria
• Review whether your current scope definition meets the new transparency standards

For Cyber Essentials Plus Holders

• Ensure your update management is consistent across all devices
• Don't rely on fixing issues identified during testing—the assessor will verify wider compliance
• Finalise your VSA responses carefully before testing begins

Why These Changes Matter

These updates aren't arbitrary bureaucracy—they're responses to real-world security incidents. IASME explicitly states these changes are "based on findings from breach investigations, and evaluation of insights gained from audits."

The common factors in many breaches include:

• Compromised accounts without MFA protection
• Exploitation of unpatched vulnerabilities
• Unclear scope boundaries allowing critical systems to fall outside certification
• Inconsistent security practices across an organisation's estate

The new requirements directly address these vulnerabilities, making Cyber Essentials a more robust assurance framework.

The Defence Sector Connection

For organisations pursuing MOD contracts, these changes have particular significance. Cyber Essentials remains a baseline requirement for Defence Cyber Certification (DCC), and the stricter controls align with the threat landscape facing defence supply chains.

The 14-day patching requirement, in particular, reflects expectations already present in higher-level defence frameworks. Organisations working toward DCC compliance should view these changes as helpful alignment rather than additional burden.

Preparing for April 27, 2026

With just over two months until these requirements take effect, organisations should:

1. Conduct an immediate MFA audit—identify any cloud services without MFA and implement it
2. Review patch management processes—can you consistently meet the 14-day requirement?
3. Document your scope comprehensively—prepare detailed descriptions and identify any exclusions
4. Test your update deployment—ensure patches can reach all devices, not just tested samples
5. Engage with your certification body—discuss any concerns or clarification needs

Getting Support

Periculo specialises in helping organisations achieve and maintain Cyber Essentials certification, including navigating scheme changes like these. Whether you're seeking initial certification or need to ensure your existing certificate can be renewed under the new requirements, we can provide:

• Gap analysis against the updated v3.3 requirements
• Patch management policy development to meet the 14-day requirement
• MFA implementation guidance across your cloud services estate
• Scope definition support to ensure clarity and compliance
• CE+ preparation, including mock assessments under the new methodology

The April 2026 changes represent a significant strengthening of the Cyber Essentials scheme. While they increase the bar for compliance, they also increase the value of the certification as a meaningful security assurance framework.

Organisations that take these requirements seriously—implementing robust controls rather than seeking minimum compliance—will find themselves better protected against the evolving threat landscape, regardless of the certification requirements.

Need help preparing for the new Cyber Essentials requirements? Contact Us to discuss how we can support your compliance journey.