Cyber Essentials Changes are Coming

The April 2026 updates to the Cyber Essentials scheme strengthen security requirements, improve assessment transparency, and tighten compliance enforcement. The most significant change is the introduction of stricter “auto-fail” criteria. Organisations will automatically fail if multi-factor authentication (MFA) is not enabled for all supported cloud services, or if critical and high-risk security updates for operating systems, firmware, and applications are not applied within 14 days of release.

The updates also improve scope clarity by allowing detailed scope descriptions on certificates, requiring disclosure of excluded infrastructure areas, and identifying all legal entities included in certification. Organisations can also request individual certificates for entities within a larger certified scope. The definition of “point in time” has been clarified as the date the certificate is issued, meaning all systems must still be supported at certification time.

Cyber Essentials Plus (CE+) assessments are also becoming stricter. Organisations that fail update-management testing must remediate issues across their full environment, not just sampled devices, and assessors will test additional random samples during retesting. A second failure will revoke certification. Organisations will also no longer be allowed to alter their verified self-assessment after CE+ testing begins.

Additional guidance updates include clearer definitions of cloud services, mandatory inclusion of cloud-hosted services within scope, simplified scoping rules, stronger emphasis on backups, updated application development guidance aligned with the UK Government Software Security Code of Practice, and increased focus on passwordless authentication methods such as passkeys.

Check the IASME website for details