The National Cyber Security Centre (NCSC) and IASME have released their latest round of updates to Cyber Essentials. The revised requirements will apply to all assessments created on or after April 27th this year.
The 2026 update is not a complete overhaul of Cyber Essentials, but it does introduce certain clarifications and tighter controls that organisations will need to familiarise themselves with before beginning or renewing their certification.
The updates are being made to re-enforce that Cyber Essentials has become a key part of the Government’s Cyber policy, and the NCSC has recently written to all FTSE 350 companies encouraging them to embed Cyber Essentials into their supply chain. Reviews of certifications completed for larger organisations have also produced evidence of workarounds being used to help successfully complete Cyber Essentials Plus certifications, highlighting the need to strengthen the requirement to install security updates within 14 days and enforce multi-factor authentication.
The changes to Cyber Essentials are important and welcome, making the certification even more valuable and helping certified organisations to strengthen their cybersecurity protections further. Here are the key changes and what they’ll mean in practice.
Stronger enforcement of patching and MFA
Multi-factor authentication (MFA) has long been a core expectation of Cyber Essentials. Under the updated rules, MFA must now be enabled wherever it is available for cloud services, even if the MFA option is only provided at an additional cost. If MFA is available, it must be enabled for all users; failure to do so will result in automatic failure of the self-assessment.
Security update requirements have also been strengthened. Organisations must apply all high-risk or critical security updates within 14 days of release. This applies both to operating systems, applications and network devices such as routers and firewalls, along with associated files and extensions.
Clarification of scope and certification boundaries
The 2026 update to Cyber Essentials introduces changes intended to make scoping requirements clearer. Applicants can now choose whether the scope applies to the whole organisation or part of it. They can then provide a detailed scope description with no character limit, which will be shown on their certificates. They will also be required to describe and justify areas of their infrastructure that are excluded from their scope, although this information will remain private.
Furthermore, all legal entities within scope must be formally declared on the self-assessment prior to certification. For larger group structures, there will also be the option to request separate Cyber Essentials certificates for individual legal entities situated within a broader certified scope.
Clearer definition of “point in time” and ongoing compliance
Under the new update to Cyber Essentials, the relevant point in time is defined as the certificate issue date. Organisations must ensure that all systems in scope are certified as compliant on that specific date. This “point of time” issue has been the cause of some confusion in the past.
Also, the verified self-assessment declaration signed by a director or board-level representative will now explicitly acknowledge the organisation’s responsibility to maintain the controls throughout the whole certification period, not just at the point of certification.
New requirements for Cyber Essentials Plus
If the sample of devices fails the initial Cyber Essentials Plus technical assessment due to missing security updates, assessors will complete a technical vulnerability scan on a second sample of devices. If further inconsistencies are identified, organisations will be awarded a fail for Cyber Essentials Plus and may have their verified self-assessment certificate revoked.
In addition, organisations will no longer be permitted to amend their verified self-assessment answers based on the outcome of their Cyber Essentials Plus assessment. Self-assessments must be complete and accurate before the technical audit stage starts.
Updates to the IT Infrastructure Requirements (v3.3)
The latest edition of the Requirements for IT Infrastructure document (v3.3) will also apply to assessments started from April 27th. Several changes to the Infrastructure Requirements document make clarifications rather than imposing new obligations.
Cloud services are more clearly defined as on-demand, scalable services accessible via the internet using shared infrastructure. Any cloud services used to store or process business data must be included within scope.
The language around scoping has also been simplified, with terms such as “untrusted” and “user-initiated” removed for clarity. The section previously labelled “web applications” has been altered to “application development”, bringing it more into line with the UK Government’s Software Security Code of Practice.
Guidance on backups, meanwhile, has been moved nearer the front of the document to underline its importance in resilience and recovery planning. The user access control section now places greater emphasis on passwordless technologies such as passkeys.
Preparing for the 2026 Cyber Essentials standard
The 2026 update to Cyber Essentials does not radically change its structure, but it does look to strengthen safeguards in areas frequently exploited by attackers: namely, flimsy authentication, delayed patching and confusion around infrastructure.
Enabling MFA wherever it can be enabled, proving that critical updates have been applied within 14 days and ensuring that scope is clearly defined and documented will help to ensure a smoother certification process once the new requirements come into force from April.
Get Cyber Essentials Certified!
We are an accredited Cyber Essentials Certification Body and provide unlimited support to help organisations achieve Cyber Essentials and Cyber Essentials Plus certification.
Get in touch
Find out more
For more information please contact us on 0161 706 0244 or email info@cybersecurityspecialists.co.uk to speak with a member of the team.