For business management solutions email us or call 020 3004 4600

Cyber Essentials Cyber Security

Cyber Essentials April 2026 Changes

Cyber Essentials and Cyber Essentials Plus are being updated on 27 April 2026. While the scheme's five core controls remain unchanged, the way assessments are conducted, enforced, and marked is becoming significantly more rigorous. For SMEs across the UK, that means some previously accepted practices will no longer pass.

If your business holds Cyber Essentials certification, or is planning to achieve it for the first time, this article sets out everything that is changing, what it means in practical terms, and how Advantage can help you stay compliant.

Key date: The updated requirements apply to all assessment accounts created on or after 27 April 2026. Organisations with an active account created before that date have up to six months to complete certification under the previous version of the requirements.

What Is Cyber Essentials?

Cyber Essentials is a UK government-backed certification scheme, managed by IASME on behalf of the National Cyber Security Centre (NCSC). It sets out five technical controls designed to protect organisations against the majority of common cyber attacks: firewalls, secure configuration, user access control, malware protection, and security update management.

The scheme is reviewed annually to keep pace with evolving threats. The 2026 update, known as the Danzell question set, does not overhaul the fundamentals but it does close loopholes, tighten enforcement, and align the scheme more closely with how businesses actually use technology today, including cloud services, hybrid working, and modern identity management.

What Is Changing in April 2026?

MFA Becomes Mandatory

Multi-factor authentication must now be enabled for all cloud services where it is available. Failure to do so is an automatic assessment failure.

Stricter Patching Rules

Critical security updates for operating systems, firmware, and applications must be installed within 14 days of release. Two new auto-fail questions enforce this.

Cloud Services Now In Scope

A clear definition of cloud services is introduced. Any service that stores or processes your organisation's data cannot be excluded from your scope.

Improved Scope Transparency

Organisations must list all legal entities in scope, justify any exclusions, and provide detailed scope descriptions visible on the digital certificate platform.

CE+ Tighter Assessment

Cyber Essentials Plus assessors will now test a wider random sample on retests, closing the selective update loophole that some organisations previously exploited.

No Post-CE+ Changes to VSA

The verified self-assessment must be finalised before CE+ testing begins. Organisations can no longer amend their responses based on audit findings.

The Detail: What Each Change Means

1. Multi-Factor Authentication

MFA has always been a recommended best practice within Cyber Essentials, but from 27 April 2026 it becomes a hard requirement for cloud services. According to IASME, this applies regardless of whether MFA is free, included in your subscription, connected via a third-party tool, or only available as a paid add-on.

For most SMEs using Microsoft 365, this means ensuring MFA is enabled across all user accounts, not just administrators. If even one cloud service used for business purposes has MFA available and it is not switched on, the assessment will fail automatically.

If your organisation is already using Microsoft 365 with Conditional Access policies or Microsoft Entra ID, you may be well placed. If you are not, now is the time to act.

2. Security Update Management Auto-Fails

Two questions in the assessment are now classified as auto-fail. These address whether all high-risk or critical security updates for operating systems, router and firewall firmware, and applications (including extensions and associated files) are installed within 14 days of release.

New Auto-Fail Questions
  • A6.4: Are all high-risk or critical security updates for operating systems and router/firewall firmware installed within 14 days of release?
  • A6.5: Are all high-risk or critical security updates for applications, including associated files and extensions, installed within 14 days of release?

For organisations relying on manual patching processes, or where IT responsibilities sit with a busy internal resource rather than a managed service, this is one of the highest-risk areas. A single overlooked firewall firmware update or missed browser extension patch could cause a failed assessment.

3. Cloud Services Must Be In Scope

The updated requirements include a formal definition of a cloud service for the first time: an on-demand, scalable service hosted on shared infrastructure, accessible via the internet, that stores or processes your organisation's data. This includes SaaS tools such as Microsoft 365, accounting software, CRM platforms, and file storage services.

The key change is that cloud services can no longer be excluded from scope. Some organisations previously treated cloud-hosted tools as outside their responsibility because the infrastructure sits with a vendor. Under the new rules, that position will not hold.

4. Scope Definition and Transparency

Organisations will no longer be limited to a brief scope description; they can provide full detail, which will be visible on the digital certificate platform. Any areas excluded from scope must be formally described and justified. Where multiple legal entities are involved, each must be listed with its name, address, and company number.

There is also a useful addition: it will be possible to request individual Cyber Essentials certificates for each legal entity certified within a wider scope, which is helpful for organisations that need to demonstrate compliance to customers or supply chain partners on a subsidiary-by-subsidiary basis.

5. Point-in-Time Clarification

There has historically been some ambiguity around what "point in time" means in practice. The updated scheme clarifies that the relevant date is when the certificate is issued. Systems must be supported and compliant at that specific date, not just at the moment of completing the self-assessment questionnaire.

6. Updated Signing Declaration

The declaration signed by a board member or director as part of the verified self-assessment will be updated to include an explicit acknowledgement that the organisation is responsible for maintaining Cyber Essentials compliance throughout the 12-month certification period, not just at the point of assessment.

Changes Specific to Cyber Essentials Plus

Cyber Essentials Plus provides a higher level of assurance through a technical audit carried out by an accredited assessor. The April 2026 update introduces two significant changes to how CE+ assessments are conducted.

Closing the Selective Update Loophole

IASME's own audits identified a pattern where some organisations, when notified of patching failures during a CE+ assessment, only applied updates to the specific devices being tested rather than rolling them out across the full scope. The result was a passed assessment that did not reflect the organisation's real security position.

This practice is no longer possible. If an organisation fails the initial device sample test, it must remediate across the entire CE+ scope. On retest, assessors will check both the original sample and an additional random sample of devices. A second failure will result in revocation of the verified self-assessment certificate.

VSA Responses Locked Before CE+ Testing

Organisations will no longer be able to amend their verified self-assessment after CE+ testing has begun. The VSA must be completed and finalised before the technical audit starts. This ensures the self-assessment accurately reflects the organisation's real posture rather than being adjusted in light of audit findings.

When Do the Changes Apply?

Now

Organisations can prepare by auditing MFA coverage, reviewing patching processes, and mapping all cloud services in use.

Before 27 April 2026

Assessment accounts created before this date can still use the previous Willow question set, with up to six months to complete certification.

27 April 2026

All new assessment accounts must use the updated Danzell question set, v3.3 requirements, and new marking criteria including auto-fail rules.

What Should Your Business Do Now?

The changes are designed to be achievable for SMEs. The five core controls have not changed, and IASME has been explicit that the intent is to strengthen the scheme's real-world effectiveness, not to create unnecessary barriers. With the right preparation, most organisations will find compliance well within reach.

  • Audit every cloud service your team uses and confirm MFA is enabled for all user accounts
  • Check that critical patches for all operating systems, firmware, and applications are being applied within 14 days of release
  • Review your assessment scope to ensure cloud services are included and any exclusions can be properly justified
  • If multiple legal entities are involved, prepare a complete list with registered details
  • For CE+ holders, ensure your patching process covers the full in-scope environment, not just a sample of devices
  • Confirm your self-assessment is finalised before CE+ testing begins

How Advantage Can Help

At Advantage, cyber security is not a bolt-on. It is a core part of the managed IT services and Microsoft solutions we deliver to SMEs across the UK. Whether you are achieving Cyber Essentials for the first time, renewing ahead of the April changes, or targeting Cyber Essentials Plus, our team can guide you through the process.

Microsoft 365 and MFA Configuration

Many of the MFA requirements introduced in April 2026 can be met through tools already available within your Microsoft 365 subscription. Our team can audit your current configuration, identify any gaps, and implement Conditional Access policies or Microsoft Entra ID controls to ensure you meet the new requirements across all cloud services.

Managed Patching

Keeping all devices, firmware, and applications patched within 14 days, consistently and across every device in scope, is not practical without the right tooling and processes in place. Our managed IT services include automated patch management, giving you the evidence you need to pass the updated assessment questions with confidence.

Cyber Essentials Readiness Review

Not sure where your current environment sits against the new requirements? We can carry out a readiness assessment ahead of your renewal, identifying any areas that need attention before you open your assessment account. This is particularly valuable for organisations with more complex IT environments, multiple sites, or a mix of on-premises and cloud infrastructure.

Ongoing Cyber Security Advisory

Cyber Essentials certification is a strong foundation, but it is only one part of a broader cyber security strategy. Our cyber security services help you build on certification with ongoing monitoring, staff awareness, incident response planning, and alignment with frameworks like Cyber Essentials Plus and IASME Cyber Assurance.

Ready to prepare for the April 2026 changes?

Talk to the Advantage team about a Cyber Essentials readiness review or managed IT support ahead of your next renewal.

Get in touch with our team

Related Resources

Cyber Security Services at Advantage
Advantage Secure365™
AI Enhanced Managed IT Support
Security Management
Contact Advantage

Intelligence Hub
  • The Frontline
  • Tips & Tricks
  • Check the Tech
  • Case Studies
  • On Demand Webinars
    • Related Articles

    Defining Cyber Essentials & why your business needs to implement it!

    Find out More

    What are the latest updates coming to Cyber Essentials in April 2023?

    Find out More

    Cyber Essentials Made Easy: Fast-Track Your Certification with Advantage

    Find out More

    More than 500,000 Zoom passwords being sold over the dark web: how can you protect yourself?

    Find out More

    5 ways that Advantage can help your business to stay secure online

    Find out More