Cyber Essentials Update: Key Changes Coming in April 2026
17th Feb 2026
Talk to our experts today
Talk to our experts today
17th Feb 2026
Last updated: February 2026
Cyber Essentials is changing – and the impact is bigger than many organisations realise.
As part of the scheme’s annual update cycle designed to ensure it remains effective against evolving cyber threats, the latest Cyber Essentials Update will take effect on 27 April 2026.
Although IASME, the National Cyber Security Centre’s Cyber Essentials Partner, has positioned these updates as refinements, the changes tighten the requirements in ways that will materially affect how organisations approach certification, identity security and cloud governance.
IASME has implemented these changes through the revised Requirements for IT Infrastructure v3.3, the technical standard that underpins Cyber Essentials assessments. Organisations will complete assessments against this updated standard using the associated 2026 question set, named Danzell.
As with previous releases, IASME follows its long-standing tradition of naming each annual Cyber Essentials question set after one of the natural springs of the Malvern Hills – the region where IASME, like Assure Technical, is based.
Strengthened multi-factor authentication (MFA) requirements, the mandatory inclusion of all cloud services, clearer scoping definitions and stricter enforcement of security updates all reflect the continued shift towards identity-centric security and operational resilience.
This article explains what is changing, why it matters, and how organisations can prepare effectively for Cyber Essentials certification ahead of the April 2026 updates.
The April 2026 update removes ambiguity and strengthens baseline security expectations across identity, cloud and resilience.
The most significant change in the April 2026 Cyber Essentials Update is the strengthening of multi-factor authentication (MFA) requirements.
From v3.3 onwards:
In simple terms, MFA is no longer a recommendation. The new standard makes it a strict compliance requirement. This reflects the continued rise of credential-based attacks and the central role of identity security in modern threat models.
As a result, organisations can no longer justify partial or selective MFA adoption where the capability already exists.
For the first time, Cyber Essentials introduces a formal definition of a cloud service. Any on-demand, scalable service running on shared infrastructure and accessed over the internet cannot be excluded from scope. Importantly, responsibility for meeting Cyber Essentials requirements remains with the organisation, even when services are provided by third-party cloud vendors.
This includes:
This change removes ambiguity around what qualifies as a cloud service. Organisations must include any service that stores or processes organisational data and is accessed using a company-issued account or business email address within scope.
IASME has removed terminology such as “untrusted” or “user-initiated” internet connections.
Under v3.3:
All devices capable of establishing or accepting internet connections are in scope.
Where organisations exclude network segments, they must provide clear justification and evidence of effective segregation.
This change is designed to reduce interpretation risk during assessments and improve consistency across certifications.
Backup guidance now appears earlier in the technical document. This change highlights recovery as a core cyber-resilience control rather than a secondary safeguard.
The update reflects real-world incidents, where the ability to restore systems quickly often determines the operational impact of an attack. Organisations should treat backups as an essential security capability, not simply a compliance requirement.
Cyber Essentials v3.3 explicitly recognises passwordless authentication methods, including:
This aligns the baseline with modern identity security practices. While passwordless authentication is not mandatory, its inclusion signals a gradual shift in expectations as authentication standards continue to evolve.
The former “web applications” section has been reframed as “application development”. This aligns Cyber Essentials with the UK Government’s Software Security Code of Practice and reinforces secure-by-design principles.
The update places greater emphasis on governance and accountability throughout the development lifecycle.
The updated guidance also strengthens expectations around security updates. Organisations must now install high-risk or critical security updates for operating systems, applications, routers and firewalls within 14 days of release in all instances.
Failure to meet these timelines will result in automatic assessment failure.
The April 2026 update raises expectations across identity, cloud and operational resilience.
With MFA mandatory wherever it is available, organisations need a complete and accurate view of how authentication is enforced across their cloud services. In practice, this often exposes gaps in SaaS governance and shadow IT.
The explicit inclusion of cloud services removes the option to exclude key workloads from Cyber Essentials certification assessments.
For many organisations, this change requires closer coordination between IT, security and procurement teams to ensure ownership and responsibility are clearly defined.
Organisations will need to provide more detailed scope descriptions during Cyber Essentials certification. The updated framework removes previous word limits and requires businesses to clearly identify all legal entities included within the certification.
Clearer scope boundaries and mandatory explanations for exclusions significantly raise the standard of evidence organisations must meet during Cyber Essentials certification assessments.
Organisations without mature asset management, network documentation and segregation controls face a higher risk of delay, challenge or rework during assessment.
Where evidence is incomplete or controls are inconsistently applied, organisations may need to remediate issues before certification can proceed.
Assessment accounts created before 27 April 2026 will continue under the current version of the standard. Accounts created after this date will follow the updated Requirements for IT Infrastructure v3.3, alongside the associated Danzell question.
Organisations should not treat this transition window as an opportunity to delay preparation.
Complex environments, legacy systems and decentralised cloud adoption take time to audit and remediate. Early preparation reduces risk, cost and disruption when preparing for Cyber Essentials certification.
Overall, the April 2026 updates signal a continued move towards clearer, less negotiable baseline controls. Organisations that rely on informal processes or legacy assumptions are more likely to experience assessment friction.
Identify every cloud service used across the organisation, including those adopted independently by teams. Confirm MFA availability, configuration and usage.
Move beyond minimum MFA requirements towards a unified identity strategy. Enforce MFA consistently and review session policies, conditional access and privilege management.
Where parts of the environment sit outside scope, ensure segregation is technically sound, clearly documented and defensible during assessment.
Test restoration workflows, confirm backup security, and document frequency, retention and separation. Treat recovery as a first-class security control.
A reliable inventory is essential under the revised connectivity definitions. Automated discovery tools can help where environments are dynamic.
Avoid scheduling Cyber Essentials certification or renewal close to April 2026. Early preparation delivers smoother assessments and stronger outcomes.
Organisations that prepare early will achieve smoother certification and a stronger security posture.
The April 2026 Cyber Essentials Update represents a meaningful evolution of the scheme. By tightening MFA requirements, clarifying scope definitions and elevating recovery expectations, the Requirements for IT Infrastructure v3.3 set a higher baseline that organisations can no longer ignore.
The updates signal a continued move towards clearer, less negotiable baseline controls. Organisations that rely on informal processes or delayed update cycles are more likely to experience assessment friction.
This is not simply a compliance exercise. It is an opportunity to strengthen identity security, improve cloud governance and reduce operational risk.
Assure Technical has been a leading Cyber Essentials Certification Body for 10 years and supported 1000s of organisations through to achieve pain-free certification.
We provide support throughout the Cyber Essentials certification journey, from readiness assessments and gap analysis to Cyber Essentials and Cyber Essentials Plus certification. Our 4.9-star rating on Trustpilot, from over 300 genuine 5-star customer reviews really does speak for itself.
Whether you‘re looking to achieve Cyber Essentials for the first time, or looking to renew, we can help ensure you prepare for the April 2026 requirements with confidence
Get in touch with our experts today and let us guide you through the transition.
Get in touch with our expert consultants for straight-talking, jargon-free technical security advice.
