Debra Cairns
From April 2026, the Cyber Essentials and Cyber Essentials Plus certification schemes introduced a series of important compliance updates aimed at improving cyber resilience across UK organisations.
While the five core technical controls remain unchanged, the revised standard places greater emphasis on evidence gathering, cloud security, patch management and organisational accountability during assessments.
The updated requirements are designed to strengthen the credibility of the Cyber Essentials framework while encouraging businesses to adopt more proactive and measurable cyber security practices.
What are the key Cyber Essentials 2026 updates?
Leaving no grey areas or room for interpretation, here are the major 2026 updates to the Cyber Essentials scheme.
High-risk and critical patches must be applied within 14 days
This is arguably the most significant shift for IT teams. Previously, the 14-day rule was considered strong guidance. It is now a strict requirement.
If a vendor releases a patch for a critical or high-risk vulnerability, organisations have exactly 14 days to apply it across every device, server and application within scope. If an assessor finds even one device missing a critical update older than two weeks, the organisation will automatically fail the assessment.
Strong patch management processes are becoming increasingly important as cyber threats continue to evolve, and businesses face greater pressure to maintain operational resilience.
Multi-factor authentication is now mandatory for all cloud services
Account takeovers remain one of the most common causes of business cyber breaches. To combat this, multi-factor authentication (MFA) is now mandatory for all cloud services.
If a service provider offers MFA, whether included as standard or through a paid upgrade, organisations must enable it for all users and not just administrators. If MFA is available but not active, the assessment will result in automatic failure.
This change removes cost or inconvenience as excuses for relying solely on passwords to protect business systems.
For organisations looking to strengthen account protection further, our guide on how multi-factor authentication works explores why MFA is now considered essential for modern cyber security.
Cloud services can no longer be excluded from scope
In previous years, some organisations attempted to narrow their assessment scope by excluding certain cloud platforms. The 2026 update closes this loophole.
The new definition of a cloud service is straightforward. If the platform stores or processes organisational data and is accessed using business credentials, it falls within scope. This includes Microsoft 365, Google Workspace, CRM platforms, HR systems and cloud storage providers.
If business data exists within the platform, the service must meet Cyber Essentials standards.
Cyber Essentials Plus introduces stricter retesting rules
For organisations pursuing Cyber Essentials Plus, the audited version of the scheme, the spot-checking process has become more demanding.
Previously, if an assessor identified a failed device during testing, the organisation might only need to correct that individual device. Under the updated rules, if a device from the original sample fails, the assessor must test a second random sample. If the second sample also fails, the organisation fails the certification entirely.
This update ensures security controls are implemented consistently across the whole organisation rather than only on isolated systems.
Organisations must provide stronger evidence and clearer scoping definitions
The days of submitting a simple one-sentence network description are over. Organisations must now provide more detailed infrastructure descriptions, including all legal entities included within certification scope.
If parts of the network are excluded, organisations must provide clear technical evidence demonstrating how those systems are segregated from the wider business environment. Assessors will expect stronger documentation and proof that network boundaries are secure and genuine.
How businesses can prepare for Cyber Essentials 2026
With the new requirements now in force, organisations should begin reviewing their current security arrangements immediately.
Review all cloud services and enforce MFA
The first step should be a full audit of every cloud platform employees use for business operations. This includes major systems such as Microsoft 365 as well as smaller SaaS platforms used for marketing, collaboration or project management.
Once identified, organisations should ensure MFA is fully enforced for every account across the business. It is important to distinguish between MFA being available and MFA being mandatory through administrative controls.
Strengthen asset management processes
Businesses cannot secure devices they do not know exist. Organisations should maintain an accurate and regularly updated inventory covering all devices capable of accessing company systems or data.
If out-of-scope environments exist, such as guest Wi-Fi or isolated legacy systems, businesses must clearly document how those environments are segregated.
Bring your own device policies should also be reviewed carefully. If employees access work emails or collaboration tools from personal devices, those devices may fall within assessment scope.
Tighten patch management procedures
Meeting the strict 14-day patching window will likely require more automated processes. Businesses should consider using Mobile Device Management (MDM) solutions or centralised patch management tools to deploy updates quickly across all systems.
Assigning responsibility for monitoring vendor security bulletins can also help organisations respond rapidly when critical vulnerabilities emerge.
Proactive monitoring and regular security testing services can also help businesses identify weaknesses before they become compliance failures or security incidents.
Review and restrict administrative privileges
Although not entirely new for 2026, the updated standard places renewed emphasis on identity and access management, particularly around administrator privileges.
Employees, including IT staff, should avoid using administrator accounts for routine tasks such as email or web browsing. Instead, organisations should separate standard user accounts from privileged administrative accounts used solely for technical changes.
Regular access reviews should also take place to ensure permissions are removed promptly when staff change roles or leave the organisation.
Why the Cyber Essentials 2026 updates matter
The Cyber Essentials 2026 updates reflect a wider shift away from tick-box compliance and toward genuine operational cyber resilience. While the stricter fail criteria may appear challenging, they directly target the common attack methods currently used by cyber criminals against UK businesses.
By reviewing systems now, organisations can improve security standards, strengthen compliance and reduce the risk of disruption caused by cyber incidents.
With the support of experienced cyber security specialists, businesses can identify weaknesses, close security gaps and prepare confidently for Cyber Essentials and Cyber Essentials Plus certification.
FAQ’s
What are the main Cyber Essentials 2026 updates?
The Cyber Essentials 2026 updates introduce stricter requirements around patch management, mandatory MFA for cloud services, stronger evidence collection and tighter scoping rules for organisations.
Is multi-factor authentication now mandatory under Cyber Essentials?
Yes. If a cloud service offers MFA, organisations must enable it for all users. Failure to do so could result in automatic failure of the assessment.
How quickly must critical security patches be applied?
Critical and high-risk security patches must now be applied within 14 days of release across all in-scope systems and devices.
Can cloud services still be excluded from Cyber Essentials scope?
No. Under the updated rules, cloud platforms that store or process organisational data are considered in scope for assessment.
What should businesses do to prepare for Cyber Essentials 2026?
Businesses should review cloud services, enforce MFA, improve asset management, strengthen patching processes and audit administrative access controls before assessment.