The National Cyber Security Centre (NCSC) and IASME have released their latest round of updates to Cyber Essentials. The revised requirements will apply to all assessments created on or after April 27th this year.
The 2026 update is not a complete overhaul of Cyber Essentials, but it does introduce certain clarifications and tighter controls that organisations will need to familiarise themselves with before beginning or renewing their certification.
The changes to Cyber Essentials are important and welcome, making the certification even more valuable and helping certified organisations to strengthen their cybersecurity protections further. Here are the key changes and what they’ll mean in practice.
Multi-factor authentication (MFA) has long been a core expectation of Cyber Essentials. Under the updated rules, MFA must now be enabled wherever it is available for cloud services, even if the MFA option is only provided at an additional cost. If MFA is available, it must be turned on; failure to do so will result in an automatic failure of an assessment.
Security update requirements have also been strengthened. Organisations must apply all high-risk or critical security updates within 14 days of release. This applies both to operating systems and network devices such as routers and firewalls, along with associated files and extensions.
The 2026 update to Cyber Essentials introduces changes intended to make scope requirements clearer. Organisations will be able to provide a more detailed scope description on their certificates, and will also be required to describe and justify areas of their infrastructure that are excluded from their scope.
Furthermore, all legal entities within scope must be formally identified. For larger group structures, there will also be the option to request separate Cyber Essentials certificates for individual legal entities situated within a broader certified scope.
Under the new update to Cyber Essentials, the relevant point in time is defined as the certificate issue date. Organisations must ensure that all systems in scope are certified and compliant as of that specific date. This “point of time” issue has been the cause of some confusion in the past.
Also, the verified self-assessment declaration signed by a director or board-level representative will now explicitly acknowledge the organisation’s responsibility to maintain the controls throughout the certification period, not just at the moment of submission.
If devices fail the initial Cyber Essentials Plus technical assessment due to missing security updates, assessors will test a second sample of remediated devices. If further inconsistencies are identified, organisations may have their verified self-assessment certificate revoked.
In addition, organisations will no longer be permitted to amend their verified self-assessment answers based on the outcome of their Cyber Essentials Plus assessment. Self-assessments must be complete and accurate before the technical audit stage.
The latest edition of the Requirements for IT Infrastructure document (v3.3) will also apply to assessments started from April 27th. Several changes to the Infrastructure Requirements document make clarifications rather than imposing new obligations.
Cloud services are more clearly defined as on-demand, scalable services accessible via the internet using shared infrastructure. Any cloud services used to store or process business data must be included within scope.
The language around scoping has also been simplified, with terms such as “untrusted” and “user-initiated” removed for clarity. The section previously labelled “web applications” has been altered to “application development”, bringing it more into line with the UK Government’s Software Security Code of Practice.
Guidance on backups, meanwhile, has been moved nearer the front of the document to underline its importance in resilience and recovery planning. The user access control section now places greater emphasis on passwordless technologies such as passkeys.
The 2026 update to Cyber Essentials does not radically change its structure, but it does look to strengthen safeguards in areas frequently exploited by attackers: namely, flimsy authentication, delayed patching and confusion around infrastructure.
Enabling MFA wherever it can be enabled, proving that critical updates have been applied within 14 days and ensuring that scope is clearly defined and documented will help to ensure a smoother certification process once the new requirements come into force from April.
If your organisation is preparing for Cyber Essentials or Cyber Essentials Plus certification and you’d like guidance on what effects the new changes will have, the Cyber Tec team can help. Contact us today for more information.