Blog
Compliance
Cyber Essentials
April 16, 2026
Approx 8 min read

Cyber Essentials Plus: April 2026 Changes for Government Suppliers

From 27 April 2026, every cloud service an organisation uses is in scope for Cyber Essentials Plus. That includes the HR platform the operations team logs into twice a week, the cloud accounting tool finance uses for payroll, and the project management software marketing adopted last quarter. None of these could be excluded before. Now they all count, and a single missing MFA setting on any one of them is enough to fail the entire assessment.

The IASME Consortium published question set version 3.3 (Danzell) on 27 April 2026. For Cyber Essentials Plus government suppliers, where certification increasingly determines contract eligibility, several of these changes carry immediate commercial consequences.

What changed in the Danzell v3.3 question set

Four changes matter most for organisations holding or pursuing CE+ certification.

MFA enforcement is now an auto-fail criterion. Where a cloud service offers multi-factor authentication and the applicant has not enabled it, the assessment fails. No partial credit. No mitigation narrative. The assessor marks it as a fail and the organisation starts again. This applies to every cloud service in scope, not only the ones an organisation considers critical.

Patching timelines are tighter and more specific. Questions A6.4 and A6.5 now require high-severity and critical updates to be applied within 14 days for operating systems, routers, firewalls, and applications. Organisations that relied on quarterly patch cycles or deprioritised application-layer updates will find themselves outside the window.

Cloud services cannot be excluded from scope. The updated definition covers any on-demand, scalable service hosted on shared infrastructure and accessible via the internet. Organisations that previously scoped out SaaS tools or cloud-hosted line-of-business applications no longer have that option.

The Vulnerability Self-Assessment must be finalised before CE+ testing begins. Previously, some organisations corrected issues identified during the CE+ audit and passed retroactively. That loophole is closed. The VSA is a prerequisite, not a parallel workstream.

Other changes include recognition of passwordless authentication and passkeys, a requirement for a legal entity identifier, and board member declarations that now include ongoing compliance responsibility. These are less likely to cause failures but confirm that CE+ is becoming a continuous commitment, not an annual exercise.

Who needs CE+ now: the procurement picture across sectors

The assumption that Cyber Essentials Plus is primarily an NHS requirement has not been accurate for some time. Procurement mandates now span central government, defence, the NHS, and financial services supply chains.

Central government and executive agencies

Procurement Policy Note 014 (Cabinet Office, February 2025) applies to all central government departments, executive agencies, non-departmental public bodies, and NHS bodies. Any contract involving personal data handling or ICT at OFFICIAL classification level must include either Cyber Essentials or Cyber Essentials Plus, proportionate to risk. PPN 014 does not mandate CE+ universally across all government contracts. It mandates CE as a minimum, with CE+ expected where the contract involves direct access to government systems, processing of sensitive personal data, or supply chain risk assessed as elevated. In practice, procurement teams at departments including the Home Office, HMRC, and MOD routinely specify CE+ at the call-off stage.

CCS frameworks including G-Cloud 14 and Digital Outcomes 6 flow PPN 014 requirements down to call-off contracts involving personal data. A supplier winning work through these frameworks should expect CE+ to be a condition at the call-off stage.

NHS supply chain

NHS Supply Chain has required CE+ specifically (not Cyber Essentials alone) from September 2025 for in-scope suppliers. The distinction matters. CE is a self-assessment. CE+ involves hands-on technical testing by a qualified assessor. For suppliers selling software, hardware, or managed services into NHS trusts, CE+ is the baseline.

Defence

DEFCON 658 requires prime contractors to flow down cybersecurity requirements to their supply chain. The Defence Cyber Certification scheme, delivered via IASME, maps directly to Cyber Essentials and Cyber Essentials Plus. Level 0 and Level 1 certification corresponds to CE, while Level 2 and Level 3 requires CE+. The Cyber Security Model version 4, launched in December 2025, reinforces these requirements through updated risk profiling.

Financial services

The FCA and PRA do not mandate Cyber Essentials certification. Six major UK banks, however, signed the Cyber Essentials Supply Chain Commitment on 23 October 2024: Barclays, Lloyds Banking Group, Nationwide Building Society, NatWest Group, Santander UK, and TSB. The commitment is voluntary but sends a clear signal to technology vendors, managed service providers, and professional services firms selling into banking. Suppliers without CE+ certification will increasingly find themselves excluded from shortlists, even without a formal regulatory requirement.

What the CE+ assessment actually involves

Many organisations pursue CE+ without a clear picture of what the technical testing looks like. The assessment is a remote session, typically lasting two to four hours, in which a qualified assessor connects to the organisation's systems over a secure link.

The assessor selects a sample of devices, covering laptops, desktops, servers, mobile devices, and network equipment. They verify that operating systems and applications are patched within the required windows, that firewalls are configured correctly, that admin accounts are limited and protected, and that MFA is active on every in-scope cloud service.

For an IT manager or CTO sitting through the session, the experience is closer to a structured technical review than an audit. The assessor works through the five control areas methodically, requesting screen shares, running configuration checks, and documenting findings in real time. If the assessor identifies a failure, such as an unpatched application or a cloud service without MFA, the assessment stops. Under the v3.3 rules, there is no option to remediate mid-session and continue. The organisation must fix the issue and book a new assessment.

This is why preparation matters more than it used to. The VSA must be completed and clean before the assessor logs on. Devices must be patched, configurations verified, and MFA confirmed across every cloud service in scope, not just the ones the IT team considers high-risk.

DSPT v8 and the MFA split: what NHS suppliers need to know

NHS suppliers holding CE+ previously used it to satisfy certain evidence items within the Data Security and Protection Toolkit. That relationship has changed.

DSPT v8 evidence item 4.5.3 requires MFA enforcement on all remote access and all privileged access to externally hosted systems. CE+ certification alone no longer satisfies this requirement. The DSPT MFA policy is more prescriptive than the CE+ MFA requirement, and NHS England has removed the equivalence that previously existed.

CE+ still reduces the DSPT audit scope for other evidence items. Holding it remains valuable. But NHS suppliers relying on CE+ as their sole evidence for MFA compliance need to address evidence item 4.5.3 separately before the 30 June 2026 DSPT deadline.

For a full breakdown of DSPT v8 changes and the evidence requirements, see our guide to DSPT v8 requirements.

Where government suppliers fail CE+ assessments

Assessment bodies report consistent patterns in CE+ failures. The April 2026 changes make several of these patterns more punishing.

BYOD without consistent controls. Organisations that allow personal devices to access corporate systems struggle to demonstrate uniform security policy enforcement. If a personal laptop connects to a cloud service that is now in scope, the device must meet CE+ standards. Many organisations have policies that permit BYOD but lack the technical controls to enforce patching, MFA, and configuration baselines on those devices.

Selective patching. Some organisations only patch a sample of devices and present evidence for those. The v3.3 retesting rules now require assessors to test original sampled devices and a new random sample. Organisations that patched the machines they expected to be tested will be caught.

Cloud misconfiguration. With cloud services no longer excludable, organisations face scrutiny on SaaS security settings, admin account controls, and data sharing configurations they may never have audited. A marketing team's project management tool and a finance team's cloud accounting platform are now in scope alongside the core IT stack.

MFA gaps on non-core systems. The auto-fail criterion applies to all cloud services where MFA is available. An organisation might have MFA on Microsoft 365 and AWS but not on its CRM, HR platform, or document signing tool. One gap is enough to fail.

How CE+ fits alongside ISO 27001, DSPT, and DTAC

Government suppliers rarely hold a single certification. The practical question is how CE+ evidence maps to other frameworks and where it reduces duplication.

Cyber Essentials covers approximately five of ISO 27001's 93 Annex A controls. The overlap is narrow but the evidence transfers directly. Access control policies, patch management records, and firewall configuration documentation produced for CE+ can be reused for ISO 27001 audits without rework.

CE+ reduces the DSPT audit scope for NHS suppliers, covering technical security controls that would otherwise require separate evidence gathering. It does not replace the DSPT, but it shortens the work.

The DTAC cybersecurity pillar, required for digital health technologies used in the NHS, overlaps with CE+ on network security, access control, and vulnerability management. Suppliers holding CE+ will find several DTAC evidence requirements already met.

For defence suppliers, MOD DefStan 05-138 mapping includes Cyber Essentials. Suppliers pursuing MOD Secure by Design compliance can use CE+ evidence as a foundation for the security requirements at lower classification levels.

The commercial value is in evidence reuse. Producing documentation once and mapping it across frameworks reduces the hours spent on compliance without reducing the rigour. An ISO 27001 guide covering the full control set and its relationship to CE+ is published separately.

The commercial case for CE+ certification

The NCSC Cyber Essentials Impact Report (NCSC, 2023) found that organisations holding Cyber Essentials certification are 92% less likely to make a cyber insurance claim. For a supplier weighing the cost of certification against the cost of a breach, that statistic reframes the conversation from expense to risk reduction.

The Cyber Security Breaches Survey 2025 (DSIT, 2025) found that 43% of UK businesses experienced a cyber breach or attack in the past 12 months. The same survey reports that only 3% of UK businesses hold Cyber Essentials certification. The gap between threat exposure and certified preparedness is wide, and for government suppliers, it represents both a risk and a competitive opportunity. Holding CE+ places an organisation in a small minority that can demonstrate verified technical controls to procurement teams.

Academic research in the GOV.UK Cyber Essentials impact evaluation (Such et al, 2015) found that the five CE controls mitigate 99% of internet-originating vulnerabilities. That study is over a decade old, but the NCSC has reaffirmed the finding in subsequent publications, including the 2023 Impact Report, on the basis that the underlying attack vectors have not materially changed.

The cost of inaction is concrete. The Synnovis ransomware attack in June 2024 led to 10,129 postponed NHS appointments (NHS England, 2024), with full recovery taking until December 2024. The NCSC Annual Review 2025 recorded 204 nationally significant cyber incidents, up from 89 the previous year. For suppliers holding government data or operating systems on behalf of public bodies, the reputational and contractual consequences of a breach extend well beyond the immediate disruption.

For organisations with turnover under 20 million, Cyber Essentials certification includes free Cyber Liability Insurance. CE+ builds on this foundation with verified technical controls that stand up to procurement scrutiny.

Certification process, timeline, and costs

Cyber Essentials and Cyber Essentials Plus are delivered through IASME, the NCSC's delivery partner.

Cyber Essentials is a self-assessment. The applicant completes a questionnaire covering five technical controls (firewalls, secure configuration, access control, malware protection, and patch management), and a Certifying Body reviews the responses. Fees range from 320 to over 600 pounds plus VAT depending on organisation size.

Cyber Essentials Plus adds hands-on technical testing. A qualified assessor remotely tests a sample of the organisation's devices, systems, and configurations against the same five controls. CE+ is quoted individually based on scope and complexity. Market pricing for SMEs typically falls between 1,500 and 5,000 pounds plus VAT.

A prepared SME can expect the end-to-end process to take four to eight weeks, covering initial gap analysis, remediation of any issues identified, CE self-assessment completion, and CE+ technical testing. The VSA must be finalised before CE+ testing begins under the April 2026 rules, so organisations should not plan to run these in parallel.

Certification is annual. The renewal process follows the same structure, and the v3.3 question set applies to all assessments from 27 April 2026 regardless of when the previous certificate was issued.

Managing CE+ alongside other frameworks without duplicating work

Government suppliers managing CE+ alongside ISO 27001, DSPT, DTAC, or Defence Cyber Certification face a practical problem: the same evidence, reformatted and re-uploaded into different portals, absorbing hours that could go toward actual security improvements.

Naq automates Cyber Essentials Plus preparation and certification as an IASME Certifying Body. The platform maps evidence across more than 20 compliance frameworks from a single dashboard, with over 300 integrations pulling configuration data directly from the tools an organisation already uses. Documentation produced for one framework populates the relevant controls in others automatically, eliminating the duplicate evidence gathering that slows down multi-framework compliance.

Naq supports CE and CE+ certification directly, which forms the foundation of Defence Cyber Certification for suppliers in the MOD supply chain.

Book a demo to see how the platform prepares your organisation for CE+ under the April 2026 rules.

Framework tags: cyber-essentialsCategory: complianceSector: cross-sector

FAQ

Does PPN 014 require Cyber Essentials Plus for all government contracts?No. PPN 014 (Cabinet Office, February 2025) requires Cyber Essentials as a minimum for contracts involving personal data handling or ICT at OFFICIAL classification level. CE+ is expected where the risk profile warrants it, particularly for contracts involving direct access to government systems or processing of sensitive personal data. It is not a blanket mandate across all government procurement.

Can cloud services still be excluded from a CE+ assessment?Not under the v3.3 question set effective 27 April 2026. Any on-demand, scalable service hosted on shared infrastructure and accessible via the internet is in scope.

Does CE+ still satisfy DSPT v8 MFA requirements?CE+ no longer satisfies evidence item 4.5.3 in DSPT v8, which requires MFA enforcement on all remote access and all privileged access to externally hosted systems. CE+ does still reduce the DSPT audit scope for other evidence items.

How much does Cyber Essentials Plus certification cost?Cyber Essentials self-assessment fees range from 320 to 600 pounds plus VAT by organisation size. CE+ technical testing is quoted individually, with SME pricing typically between 1,500 and 5,000 pounds plus VAT depending on scope.

What happens if you fail the CE+ assessment under v3.3?The assessment stops at the point of failure. Under the updated rules, there is no option to remediate during the session. The organisation must fix the issue and book a new assessment. Common failure points include missing MFA on non-core cloud services, unpatched applications, and BYOD devices that do not meet configuration baselines.

Written by
The Naq Team
Share
Share
Compliance
NHS DTAC
ISO 27001
Cyber Essentials
Digital Health Compliance Trends: Top Standards for 2025
January 27, 2025
Compliance
NHS DSPT
NHS DTAC
DCB 0129
What Compliance Requirements Do You Need to Sell into the NHS?
October 1, 2025
Compliance
NHS DSPT
Cyber Essentials
DSPT v8 Requirements: What to Complete Before June 2026
April 12, 2026
Compliance
ISO 27001
ISO 27001 Explained: Understanding the Fundamentals of Compliance
February 25, 2024
Newsletter

The latest in compliance and cybersecurity direct to your inbox

Sign up now
Connect with us

Streamline compliance & accelerate your growth

Book a 15-minute demo and discover how Naq can take the complexity out of your compliance.
Book a demo
arrow_forward
Product
Platform OverviewAutomated ComplianceRisk ManagementClinical Risk ManagementTrainingMulti-framework ManagementComprehensive SupportFrameworks
Solutions
BuildGrowScaleHealthDefenceFinanceBusiness to EnterpriseBusiness to Government
Resources
All ResourcesBlogCase StudiesGuidesNaq in the News
Company
ContactAboutVacanciesPartnershipsMedia
Taking complexity out of compliance.
Connect with us
© Copyright 2024 - Naq Cyber UK Ltd.   © Copyright 2024 - Naq Cyber B.V.
Responsible Disclosure
Cookie Policy
Terms of Service
Privacy Policy