Cyber Essentials Update – What the April 2026 Changes Mean for Your Business

From 27 April 2026, the UK government‑backed Cyber Essentials certification scheme introduced some of the most significant changes in its history. While the five core technical controls remain the same, the way organisations are assessed has tightened considerably, with new automatic failure conditions introduced by IASME and the National Cyber Security Centre (NCSC).

For organisations that already hold Cyber Essentials or Cyber Essentials Plus, or those preparing to certify for the first time, understanding these changes is essential to avoid failed assessments, delayed renewals, or lost commercial opportunities.

What is Cyber Essentials?

Cyber Essentials is a UK government‑backed cybersecurity certification scheme, designed to help organisations protect themselves against the most common cyber‑attacks. The scheme is operated by IASME on behalf of the NCSC and is built around five core technical controls:

• Firewalls and internet gateways

• Secure configuration

• User access control

• Malware protection

• Security update management

  
  

There are two levels of certification:

• Cyber Essentials – a self‑assessment against the standard

• Cyber Essentials Plus – an independent technical verification

Cyber Essentials is a requirement for many public sector contracts and is increasingly requested across supply chains as evidence of baseline cyber security controls.

What Has Changed in April 2026?

The April 2026 update (Cyber Essentials v3.3, also known as the Danzell question set) does not introduce new controls, but it removes flexibility that previously allowed some organisations to pass while carrying known risks. IASME has stated that these changes improve clarity, consistency, and real‑world security outcomes. The most impactful changes are outlined below.

Mandatory Multi‑Factor Authentication (MFA) for Cloud Services

From 27 April 2026, MFA must be enabled on all cloud services where it is available. If a cloud service supports MFA and it is not enabled, the organisation will automatically fail the Cyber Essentials assessment. This requirement applies to:

• Cloud email platforms (e.g. Microsoft 365, Google Workspace)

• Identity providers

• Remote access services

• Any cloud service used to store or process organisational data

IASME has confirmed that cost or licensing is not an acceptable reason for failing to implement MFA where it is available.

14‑Day Patching Requirement for Critical Updates

High‑risk and critical security updates must now be applied within 14 days of release. Failure to meet this deadline results in an automatic fail, rather than a non‑compliance note as in previous versions of the scheme. This applies to:

• Operating systems

• Applications

• Firmware (including firewalls and routers)

This change reflects the role that delayed patching plays in many real‑world cyber incidents, which IASME has cited as a key driver for the update.

Cloud Services Must Be in Scope

The updated requirements introduce a clear definition of a cloud service and make it explicit that cloud services cannot be excluded from scope.  This removes ambiguity for assessments and means organisations must be confident that their cloud environments meet the standard across identity, access control, and security configuration.

Clearer Scoping and Stricter Assessments

Organisations are now required to provide more detailed scoping information, including:

• Clear definition of what is in scope

• Explicit justification for any exclusions

• Full listing of legal entities covered by the certification

For Cyber Essentials Plus, assessors are expected to apply more consistent and rigorous technical verification.

What Do Businesses Need to Do Now?

Organisations preparing for certification or renewal should take a proactive approach. Based on the updated requirements, businesses should:

• Review all cloud services and confirm that MFA is enforced for every user where available

• Validate patching processes to ensure critical updates are applied within 14 days

• Confirm that all cloud platforms are included within assessment scope

• Revisit certification scope documentation to ensure it is accurate and defensible

• Identify gaps early, allowing time to remediate before submitting an assessment

These changes mean that what previously passed may now fail, particularly for organisations that have not revisited their technical controls since their last certification cycle.

How Claverton Can Help

At Claverton, we support organisations in preparing for Cyber Essentials both at the point of certification and on an ongoing basis. We recognise that maintaining compliance is not a one‑off exercise, particularly under the tighter April 2026 requirements.

Our support can include:

• Gap assessments against the updated Cyber Essentials v3.3 requirements

• Practical guidance on implementing and maintaining MFA, patching processes, and secure cloud configurations

• Pre‑assessment readiness reviews to identify and remediate issues before submission

• End‑to‑end support through certification and annual renewal

For many organisations, the biggest challenge is not achieving certification once, but maintaining compliance throughout the year. This is where Claverton’s ongoing support options can add real value.

Through our Block Time Support, businesses gain access to flexible consultancy time to address emerging compliance issues, implement required changes, and respond to evolving Cyber Essentials requirements without the need for ad‑hoc engagements.

Our Managed Services go a step further, helping organisations maintain the operational controls that Cyber Essentials relies on - such as timely patching, secure configuration, identity management, and cloud governance. This proactive approach reduces the risk of non‑compliance at renewal and supports a stronger overall security posture.

Whether you are renewing an existing certificate or approaching Cyber Essentials for the first time, early preparation and ongoing oversight are the most effective ways to avoid assessment delays, certification failures, and last‑minute remediation.

If you would like support understanding the April 2026 changes or maintaining Cyber Essentials compliance through Block Time Support or Managed Services, please get intouch.