Blog
Security
Cyber Essentials
April 5, 2026
Approx 5 min read

Cyber Essentials 2026: What the April Update Changes and How to Prepare

The Cyber Essentials 2026 update takes effect on 27 April and it is more significant than the usual annual revision. The NCSC and IASME have tightened assessment criteria, introduced automatic failure conditions, and closed loopholes that allowed some organisations to certify without genuinely meeting the standard.

If your organisation holds Cyber Essentials or Cyber Essentials Plus certification, or you are planning to certify for the first time, here is what you need to know before renewal.

The five controls remain. The marking criteria do not.

The core structure of Cyber Essentials has not changed. The five technical controls, covering firewalls, secure configuration, user access control, malware protection, and security update management, remain in place.

What has changed is enforcement. The updated scheme, known as version 3.3 or the "Danzell" question set, introduces automatic failure criteria for MFA and patching. Under previous versions, gaps in these areas could be flagged as non-compliance without necessarily resulting in a failed certification. That flexibility is gone.

Cyber Essentials MFA requirements from 27 April 2026

Multi-factor authentication has been part of Cyber Essentials for some time, but there was room for interpretation around when it needed to be enabled.

From 27 April, MFA must be enabled on every cloud service that supports it. If a cloud service offers MFA, whether that is free, included, or available at additional cost, and your organisation has not switched it on, you will automatically fail the assessment. No remediation window.

This applies across SaaS platforms, email, identity providers, remote access tools, and any other cloud service that stores or processes your organisation's data. IASME has been clear that the cost of an MFA add-on is not an acceptable reason for not implementing it.

Critical patches must be applied within 14 days

The patching window has been formalised. High-risk and critical security updates for operating systems, applications, and firmware must be applied within 14 days of release. Missing this deadline is another automatic failure condition.

Previous assessments allowed organisations to receive up to two major non-compliances for patching gaps and still pass. That tolerance has been removed. IASME identified instances where organisations were achieving certification despite not applying critical security updates promptly, and this change is a direct response.

Cloud services can no longer be excluded from scope

The updated requirements include a formal definition of cloud services and make it explicit that they cannot be excluded from the assessment scope.

A cloud service, for Cyber Essentials purposes, is any on-demand, scalable service hosted on shared infrastructure, accessed via the internet through an organisational account, that stores or processes your organisation's data. That covers everything from Microsoft 365 and Google Workspace through to CRM platforms, accounting software, and HR systems.

Organisations that previously scoped their assessment narrowly to exclude certain cloud platforms will need to bring them into scope. The update also requires organisations to describe and justify any areas of infrastructure they have excluded, adding transparency to the scoping process.

What the Cyber Essentials 2026 update means commercially

Cyber Essentials certification is already a prerequisite for many UK public sector contracts under PPN 014. The NCSC published a Cyber Essentials supply chain playbook in early 2026, encouraging larger organisations to require certification from their suppliers as a minimum security baseline. The Cyber Security and Resilience Bill, currently progressing through Parliament, is expected to increase supply chain scrutiny further.

For SMEs that supply larger businesses or bid for government work, maintaining valid Cyber Essentials certification is a commercial requirement. Failing to achieve it under the stricter criteria could mean being excluded from tender processes before a conversation starts.

How to prepare before the Cyber Essentials April 2026 deadline

The practical steps need doing now rather than at renewal time.

Audit your MFA coverage. Check every cloud service your organisation uses and confirm MFA is enabled. If any service offers MFA that you have not turned on, enable it. This is the most likely cause of automatic failures under the new rules.

Review your patching process. Confirm that your organisation can consistently apply critical updates within 14 days. If your current process is slower than that, or relies on manual checks, address it now.

Map your cloud services. Build a clear picture of every cloud platform in use across the business. Under the new scope rules, nothing accessed via the internet and used to store company data can be excluded.

Check your renewal timing. Assessment accounts created before 27 April can still be completed under the current Willow question set. If your renewal falls in the next few months and you are not confident you will meet the new criteria immediately, there may be value in starting the process before the cutoff. Once an account is created, you have six months to complete the assessment.

Where the scheme is heading

The April 2026 update signals where Cyber Essentials is going. Certification will increasingly need to reflect genuine security practice rather than a paperwork exercise. The tightening of auto-fail criteria, the broader cloud scope, and the emphasis on passwordless authentication (including FIDO2-compliant passkeys) all point toward a scheme that rewards operational discipline over box-ticking.

Naq supports Cyber Essentials and Cyber Essentials Plus compliance as part of its multi-framework platform, with automated evidence gathering, policy generation, and continuous monitoring to help organisations stay certification-ready between assessments. For organisations that also manage ISO 27001 or GDPR alongside Cyber Essentials, the platform maps controls across overlapping standards so evidence collected for one framework counts towards others.

If you are preparing for certification under the new requirements, book a demo to see how the platform works.

Written by
The Naq Team
Share
Share
Security
NHS DSPT
ISO 27001
The Cyber Security and Resilience Bill: A Look at the UK’s New Cyber Framework
April 2, 2025
Security
UK New cyber security requirements for managed service providers
February 25, 2024
Security
The cost of cyber security breaches on small businesses
February 25, 2024
Security
Closing Deals Faster: Tips to ace your supplier due diligence
February 25, 2024
Newsletter

The latest in compliance and cybersecurity direct to your inbox

Sign up now
Connect with us

Streamline compliance & accelerate your growth

Book a 15-minute demo and discover how Naq can take the complexity out of your compliance.
Book a demo
arrow_forward
Product
Platform OverviewAutomated ComplianceRisk ManagementClinical Risk ManagementTrainingMulti-framework ManagementComprehensive SupportFrameworks
Solutions
BuildGrowScaleHealthDefenceFinanceBusiness to EnterpriseBusiness to Government
Resources
All ResourcesBlogCase StudiesGuidesNaq in the News
Company
ContactAboutVacanciesPartnershipsMedia
Taking complexity out of compliance.
Connect with us
© Copyright 2024 - Naq Cyber UK Ltd.   © Copyright 2024 - Naq Cyber B.V.
Responsible Disclosure
Cookie Policy
Terms of Service
Privacy Policy