top of page

Cyber Essentials Changes (April 2026) – What you need to know

  • Apr 29
  • 3 min read

First introduced in 2014 and developed in conjunction with the UK Government, Cyber Essentials has become a standard benchmark for baseline cybersecurity, with around 35,000 organisations currently certified. CE was created to help organisations address common security vulnerabilities by introducing a set of practical controls to prevent the most common attacks.

As times and risks have changed, the IASME Consortium, responsible for CE, has made some important changes to the certification requirements.


 




Why are these changes being made?

The initial mechanism for certification was a product of its time, and as the way we work and consume services has changed, it was time to ensure that the certification reflected those changes. This now aligns CE better with modern ways of working (especially cloud). There was also a desire to make CE more of a security practice rather than a tick-box exercise, so it now requires ongoing commitment. These changes ensure that CE is more aligned to today's threats and more capable of mitigating common risks.

 

Firstly, let's look at what hasn’t changed.

Cyber Essentials is still built upon five key pillars that remain the same:

·         Firewalls

·         Secure configuration

·         User access control

·         Malware protection

·         Security updates

 

These are still relevant as foundational security.

 

What’s Changed with Cyber Essentials in 2026

 

Stricter rules (less room for interpretation or vague answers)

You now need to fully meet the requirements, not just “mostly”, making passing more stringent. For example, previously, an IT Admin could say, “We usually remove old user accounts,” and pass, but that has now changed. Organisations must now demonstrate clearer processes and ensure that those are consistently followed.


Multi-Factor Authentication (MFA) is now mandatory.

The rule is now that if a system or solution supports Multi-Factor Authentication (MFA), it must be used. So, if your company uses Microsoft 365 for email, you can no longer just log in with a password; MFA must be used.

Every user must now enable MFA on systems and tools that support it, authenticating via a phone app, text, or security key. If even one user doesn’t have MFA enabled, you could fail.

 

Cloud services are now fully in scope.

CE was previously ambiguous about cloud-based systems, but now they fall within the scope of the assessment. If you are using apps like Dropbox or cloud accounting software, you must take responsibility for their security, not presume the provider handles it.  This means stronger passwords and policy, multi-factor authentication and access control.

 

Faster patching (updates must be done quickly)

Managing patching and critical updates for organisations that don’t have an IT support provider often fall foul, waiting, or forgetting that these vital patches need to be in place. The latest updates to Cyber Essentials now require all critical fixes to be installed within 14 days. Miss that, and your organisation could fail to meet the standards required.

 

New assessment questions (Danzell update)

The Cyber Essentials questions have now been rewritten to be clearer and more detailed. The new question set asking for more detail and explanation. This means specific answers are required, unlike the previous version, where general statements would suffice.


Clearer scope and certification

You must clearly define what part of your business is being assessed. For multi-site organisations, this means clarifying whether it's the head office or warehouse, etc. Previously, only part of the organisation was certified, but the whole organisation benefited. This has changed with more details required on the scope of the business area applying for certification.


Ongoing responsibility - A Point in time changed.  

Previously, your certification reflected your setup at the time it was issued, so if certification was issued on Monday and systems changed on Thursday, you still held the certification. This is not the case now, and certification doesn’t “protect” you if things slip or change afterwards.

You must be able to demonstrate that you’ll maintain security throughout the year and that you'll adhere to the rules around system security, MFA, patching, etc.

 

Cyber Essentials Plus (CE+) is now more thorough.

For those undertaking or maintaining Cyber Essential Plus (CE+), things have changed a little. System auditing and testing are becoming stricter. Previously, if an assessor found a laptop without an update or an account missing MFA, this may have been overlooked; this is no longer the case.

 

What you should do next

In simple terms:


Turn on MFA everywhere you can.

Make sure updates are done within 14 days.

Review who has access to what

Include cloud systems in your checks.

Be ready to prove what you’re doing.

 

These changes don’t make Cyber Essentials completely different, but they do make it harder to cut corners. If your organisation is already following good practices, you should not be troubled by the changes.


If not, these updates will quickly highlight the gaps you need to address to meet a basic security standard.


If you would like to know more about certification or discuss any challenges, please get in touch.

HEAD OFFICE

Vallum Farm

East Wallhouses

Newcastle upon Tyne

NE18 0LL

SALES & ENQUIRIES

0333 323 8100

TECHNICAL SUPPORT

0333 323 8101

ABOUT US 

We’re Red Maple. We keep your IT systems safe and secure so you can keep working. When you need dependable IT support, we’re your first choice.

We’re based in the North East of England, with clients across the UK and offices in Europe.

CONNECT WITH US

  • LinkedIn

PRIVACY POLICY

bottom of page