Cyber Essentials changes coming in April 2026 will introduce several updates to the scheme’s requirements, aimed at improving clarity, strengthening authentication controls, and ensuring organisations include modern cloud environments within their security scope.
While the updates are not considered a major overhaul, there are several important points organisations should understand before the new requirements take effect on 27 April 2026.
For businesses planning to achieve or renew Cyber Essentials certification, preparing early will help avoid unexpected compliance issues.
Why Cyber Essentials Is Being Updated
Cyber Essentials is built around five key technical controls designed to prevent the majority of common cyber attacks:
- Firewalls and internet gateways
- Secure configuration
- User access control
- Malware protection
- Security update management
The scheme is reviewed annually by the National Cyber Security Centre and IASME Consortium to ensure the controls remain relevant as technology and threats evolve.
The April 2026 update primarily focuses on:
- Removing ambiguity in the requirements
- Strengthening identity protection
- Clarifying how cloud services should be treated
- Emphasising resilience measures such as backups
Most organisations will not need to make significant changes, but several areas deserve close attention.
Summary table content
| Change | What it means | Impact on organisations |
| MFA enforcement | Multi-factor authentication must be enabled wherever it is available on cloud services | Organisations can fail if MFA is available but not implemented |
| Cloud services in scope | Cloud services must be included in scope and cannot be excluded | Businesses need to review Microsoft 365, Google Workspace, SaaS tools and other cloud platforms |
| Simpler scoping rules | Internet connected devices and systems are more clearly in scope | Less ambiguity, stricter scope expectations |
| ‘Passwordless’ focus | Passkeys and stronger authentication methods are encouraged | Greater emphasis on modern identity protection |
| Application development guidance | Secure development guidance now aligns with the Software Security Code of Practice | More focus on secure coding and testing practices |
| Backups given more weight | Backup guidance is positioned earlier in the requirements | Greater emphasis on recovery and resilience |
Multi Factor Authentication Becomes Strictly Enforced
The most significant practical change relates to multi factor authentication (MFA).
MFA is already part of Cyber Essentials, however the marking process is changing.
Under the new rules: If a cloud service supports MFA and this MFA is not enabled, the organisation will automatically fail the assessment. The MFA availability can be free, included in a cloud service, connected through another service, or a fee paying option; all of these will be considered as ‘being available’.
This applies even if MFA requires an additional paid feature or integration with another service.
For many organisations this will require reviewing:
- Microsoft 365 accounts
- Cloud storage platforms
- Remote access systems
- SaaS business applications
Identity credentials have become one of the most valuable targets for attackers, so enforcing MFA is now considered a baseline requirement.
Cloud Services Must Be Included in Scope
A new formal definition of cloud services has been introduced in the updated requirements.
A cloud service is defined as:
An on demand, scalable service hosted on shared infrastructure and accessed via the internet.
Examples include:
- Microsoft 365
- Google Workspace
- Salesforce
- Cloud storage platforms
- Cloud hosted infrastructure
The important change is that cloud services can no longer be excluded from scope.
If an organisation stores or processes company data within a cloud platform, it must be included in the Cyber Essentials assessment.
This reflects the reality that most modern businesses operate in hybrid environments where cloud platforms are critical parts of the infrastructure.
Clearer Scope Requirements for Networks and Devices
The new version removes some confusing language around internet connected devices.
Previously the scheme referred to terms such as:
- “Untrusted networks”
- “User initiated connections”
These qualifiers have now been removed.
The updated rule is simpler:
Any device that can:
- Accept incoming internet connections
- Initiate outbound internet connections
- Control traffic between systems and the internet
must be considered within scope.
If organisations exclude parts of their infrastructure, they must now justify this to the assessor and explain how those systems are securely segregated.
Greater Focus on ‘Passwordless Authentication’
The user access control section has also been updated to highlight ‘passwordless authentication‘.
Technologies such as:
- Passkeys
- FIDO2 security keys
- Biometric authentication
- Hardware tokens
are now strongly recommended.
These technologies remove traditional passwords and reduce the risk of:
- phishing attacks
- credential theft
- password reuse
The National Cyber Security Centre increasingly promotes ‘passwordless authentication’ as the long term direction for secure identity management.
Application Development Guidance Updated
The section previously titled Web Applications has been renamed Application Development.
It now references the UK Government Software Security Code of Practice, encouraging organisations to follow secure development processes.
Key clarification:
- Commercial web applications are automatically in scope
- Custom or bespoke application components may be outside scope
The emphasis is on using secure development practices and robust testing to prevent vulnerabilities.
Contact usFor more Information
Backups Given Greater Importance
Another structural change is the repositioning of backup guidance earlier in the requirements document.
This reflects a growing focus on cyber resilience, ensuring organisations can recover quickly after incidents such as ransomware attacks.
While backups were already expected, the change reinforces that recovery capability is an essential part of modern cyber security.
When the New Requirements Apply
The updated Cyber Essentials Requirements for IT Infrastructure v3.3 will apply to:
- Assessment accounts created after 27 April 2026
Organisations that start an assessment before this date will continue using the existing requirements.
Once an assessment account is created, businesses have six months to complete the process.
What Organisations Should Do Now
Most organisations already aligned with Cyber Essentials will not face major disruption, but there are several sensible preparation steps:
- Enable MFA everywhere it is available
- Review cloud services in use
- Confirm your infrastructure scope
- Check backup and recovery capability
- Review identity and authentication controls
Taking these steps now will ensure a smooth certification process when the updated requirements take effect.
Contact usFor more Information
Cyber Essentials as a Foundation for Cyber Resilience
Cyber Essentials is designed as a baseline standard, but the five technical controls provide powerful protection when implemented correctly.
For many organisations, Cyber Essentials also forms the starting point for broader cyber security improvements, including:
- vulnerability management
- identity protection
- threat monitoring
- incident response planning
By strengthening the scheme’s guidance around identity and cloud services, the April 2026 updates reflect how modern IT environments operate.
Please see our Cyber Security Compliance Services page to see how Amicis can help you
