Cyber Essentials Has Changed: What the April 2026 Updates Mean for Your Organisation

Cyber Essentials remains one of the UK’s most widely recognised cyber security standards, providing a government‑backed baseline for protecting organisations against common cyber threats. In April 2026, the scheme underwent one of its most significant operational updates in recent years.

The five technical controls at the heart of Cyber Essentials have not changed. What has changed is how they are enforced. The new rules remove long‑standing grey areas, introduce automatic failure conditions for critical gaps, and place greater emphasis on real‑world security rather than last‑minute compliance.

If you are certifying or renewing Cyber Essentials this year, understanding what has changed, and how to work within the updated scheme, is essential.

What Changed in April 2026?

The April 2026 update introduced:

• A new Requirements for IT Infrastructure v3.3 document

• A new self‑assessment question set, Danzell, replacing the previous Willow framework

• Stricter marking rules and additional automatic failure conditions

  
  

These updates apply to all assessment accounts created on or after 26 April 2026.

Organisations with existing assessment accounts created before this date have a six‑month transition period to certify under the previous requirements.

What Has Not Changed

It is important to be clear on what remains the same.

Cyber Essentials is still built around five core technical controls:

• Firewalls

• Secure configuration

• User access control

• Malware protection

• Security update management

  
  

The update does not introduce new controls. Instead, it tightens enforcement and removes flexibility where gaps were being tolerated.

Mandatory Multi‑Factor Authentication for Cloud Services

MFA Is Now a Pass‑or‑Fail Requirement

Multi‑factor authentication (MFA) has been part of Cyber Essentials for several years. Under the April 2026 update, the consequence of not implementing MFA has changed significantly.

If a cloud service offers MFA and it is not enabled, the assessment will automatically fail. There is no remediation window within the same assessment cycle.

This applies regardless of whether MFA is:

• Free

• Included as standard

• Available only as a paid add‑on

It also applies to all users, not just administrators.

What Counts as a Cloud Service?

For the first time, Cyber Essentials provides a formal definition of a cloud service. Any on‑demand, internet‑accessible service that stores or processes organisational data and is accessed via a business account is considered in scope.

In practical terms, this includes email platforms, identity providers, CRMs, HR systems, accounting software, cloud storage, and remote access services. Cloud services cannot be excluded from scope.

Stricter Patch Management and 14‑Day Update Rules

New Automatic Failure Conditions

Two new auto‑fail questions formalise patching expectations:

• All high‑risk or critical updates for operating systems, router and firewall firmware must be installed within 14 days

• All high‑risk or critical application updates, including associated files and browser extensions, must be installed within 14 days

  
  

If an assessor identifies missed updates beyond this window on any in‑scope system, the assessment will automatically fail, regardless of performance elsewhere.

This change reflects guidance from the National Cyber Security Centre that delayed patching remains one of the most common causes of successful cyber attacks.

Clearer and More Transparent Scoping

Scoping has historically been one of the most challenging aspects of Cyber Essentials, particularly for organisations with complex environments. The April 2026 update introduces several changes to improve clarity:

• No word limit on scope descriptions

• Mandatory disclosure of out‑of‑scope areas (not public, but reviewed)

• Identification of all legal entities included in the assessment

• Optional certificates for individual legal entities within a wider scope

  
  

These changes are designed to improve transparency and reduce ambiguity for customers and supply chain partners reviewing certifications.

Clarifying “Point in Time” Assessment

Cyber Essentials is often described as a “point in time” assessment. The updated scheme makes this explicit.

The point in time now refers to the date the certificate is issued. Systems must be supported and compliant on that date. This reduces reliance on short‑term fixes and reinforces Cyber Essentials as a maintained baseline rather than a snapshot.

Changes to Cyber Essentials Plus (CE+)

Stronger Verification of Patch Management

For organisations pursuing Cyber Essentials Plus, update management is now assessed more rigorously. If issues are found during testing, remediation must be applied across the entire environment. Retesting will include a new random sample, not just previously failing devices.

If a second failure occurs, the verified self‑assessment certificate can be revoked.

Locked Self‑Assessment Responses

Verified self‑assessment responses must now be completed, finalised, and left unchanged before CE+ testing begins. Adjusting answers after testing has started is no longer permitted.

What Organisations Should Focus on Now

With the new requirements already in effect, organisations planning certification or renewal should prioritise:

• Ensuring MFA is enabled across all cloud services

• Confirming patching processes can meet the 14‑day requirement consistently

• Reviewing scope definitions and exclusions honestly

• Removing unsupported systems before certification dates

• Treating Cyber Essentials as an ongoing baseline, not a once‑a‑year exercise

How KubeNet Can Help

The April 2026 Cyber Essentials update has raised the bar, but meeting the new requirements does not need to be disruptive or overwhelming.

At KubeNet, we work with organisations every day to help them prepare for Cyber Essentials and Cyber Essentials Plus under the updated rules. That includes reviewing MFA coverage across cloud services, validating patch management processes, clarifying assessment scope, and addressing gaps well before certification or renewal dates.

Whether you are renewing an existing certification or approaching Cyber Essentials for the first time, we focus on making compliance practical, sustainable, and reflective of how your business actually operates.

If you would like support navigating the updated Cyber Essentials requirements, or want to sense‑check your readiness under the new framework, speak to the KubeNet team. We are here to help you achieve certification with confidence and maintain it going forward.