Cyber Essentials and Cyber Essentials Plus: April 2026 changes organisations should prepare for now
Organisations using Cyber Essentials for assurance, evaluation, contracts or governance will face stricter compliance requirements. These changes are intended to improve clarity, consistency and effectiveness, while keeping the scheme aligned with evolving cyber threats.
The scheme emphasises uniform implementation of key controls, stricter standards and improved transparency across all departments, potentially impacting future assessments and certification.
What is changing?
From 26 April 2026, important updates to the Cyber Essentials scheme and Cyber Essentials Plus assessment will take effect for new assessment applications created after that date. A new question set named Danzell and Cyber Essentials Requirements for IT will become active from this date.
The five technical control areas remain the same, but the way some requirements are assessed is becoming stricter. The April 2026 updates place particular emphasis on multi-factor authentication, timely patching, accurate scoping and ongoing compliance throughout the certification period.
1. Multi-factor authentication (MFA)
MFA will be mandatory for all cloud services where it is available. Failure to enable MFA for those services will result in an automatic failure, whether the feature is free, included in the licence or available as a paid option.
2. Patch management requirements
Two update-management questions will become auto-fail requirements. Organisations must apply high-risk or critical security updates within 14 days for:
- Operating systems, and router and firewall firmware
- Applications, including associated files and extensions.
For many organisations, this will be one of the most significant practical changes. It reduces the scope for treating delayed patching as an issue to tidy up at assessment time. Instead, patching discipline will need to be visible across the estate as a matter of routine.
3. Scope descriptions will need to be more precise
Scope has long been one of the more difficult areas for larger or more complex organisations. The changes are detailed below.
- Detailed scope descriptions will now be supported. Organisations will no longer be limited to a brief scope description on their certificates. Instead, they will be able to provide a detailed scope description, which will be available to view via the digital certificate platform.
- Organisations must declare any out-of-scope systems. This information will not be made public.
- All legal entities included must be clearly identified, providing details such as the entity’s name, address and company number.
- Optional separate certificates per legal entity will be available, for which there will be a small charge.
Where organisations have multiple entities, segmented environments or partial exclusions, they will need to be confident that the declared position is clear, accurate and defensible.
4. Clarification of “point in time”
The certification point in time will now explicitly refer to the certificate issue date, meaning all systems must be supported at that time. Organisations will need to ensure that their systems are supported at the date of certification.
5. Ongoing compliance requirement
Organisations must commit to maintaining compliance throughout the certification period not just at the point of assessment. The declaration signed by a board member or director as part of the Cyber Essentials validation stage will be updated to include a statement acknowledging the organisation’s responsibility to maintain compliance with all Cyber Essentials controls throughout the certification period.
What is changing in Cyber Essentials Plus?
The April 2026 changes are also important for organisations pursuing Cyber Essentials Plus (CE+), where the technical assessment requirements will be tighter.
1. Full compliance will be expected before CE+ starts
Organisations must now be fully compliant before proceeding to CE+. Where non-compliances are identified, they must be addressed and the verified self-assessment must be completed again before moving on to CE+.
In practice, that raises the preparation threshold. It will be more important to validate the self-assessment properly before entering the CE+ process.
2. No changes to the verified self-assessment after testing begins
Organisations will no longer be able to change their verified self-assessment responses after CE+ testing has started in response to audit findings.
This increases the need for internal review before submission. Any assumptions made in the questionnaire will need to stand up to later verification.
3. Scope validation
Where systems or networks are excluded from scope, organisations will need to justify those exclusions and demonstrate that they are securely segregated from the in-scope environment. IASME says this includes making sure the number of networks declared in the self-assessment reflects the actual environment.
For businesses with hybrid estates, acquisitions, multiple offices or legacy enclaves, this may require more preparation than in previous years.
4. Stronger verification of patch management
One of the key updates is that patching must be demonstrable across the whole organisations scope, not just on the devices selected for testing.
Where the initial device sample fails the internal vulnerability-scan stage, a second sample will also be tested, and failures across both samples will lead to CE+ failure and revocation of the Cyber Essentials Basic certificate.
Additional updates
Application development requirements updated
The web applications section has been expanded to application development and aligned with the UK government’s Software Security Code of Practice. Commercial off-the-shelf applications are in scope by default.
What should organisations do now?
For most organisations looking to renew, the immediate priority is not to wait until renewal. A gap assessment before the next certification cycle should focus on four areas.
First, confirm that MFA is enabled across all cloud services where available. Second, test whether patch management processes can reliably meet the 14-day rule for high-risk and critical updates.
Third, review whether the current scope statement accurately reflects the real environment, including legal entities and excluded areas. Finally, where anything is excluded, confirm that segregation is real, documented and capable of being evidenced.
For some organisations, the technical work may be relatively modest. The bigger challenge may be governance: knowing what is in scope and what is excluded, and being able to demonstrate that the stated position is true at the point of certification and maintained afterwards.
Why this matters?
Cyber Essentials continues to be promoted by the NCSC as a practical baseline against common online threats, and it is increasingly used by customers and contracting authorities as a visible sign that cyber security is being taken seriously.
The April 2026 changes do not alter the purpose of the scheme, but they do raise expectations around consistency and evidence. Organisations that prepare early are likely to find the transition manageable. Those that rely on last-minute remediation may find the new requirements less forgiving.
How Moore Kingston Smith can help
The April 2026 updates are a good opportunity to review whether your current Cyber Essentials position remains fit for purpose.
We support organisations by reviewing their current compliance against the updated requirements. This includes testing patching and MFA controls operate consistently in practice, helping define a robust certification scope and identifying issues that may cause difficulty in a future CE+ assessment.
For organisations planning a new application, renewal or considering CE+ for the first time, an early review can help reduce the risk of delay, failure or unnecessary rework.
If you would like to schedule a free 30-minute call to discuss Cyber Essentials, please get in touch.
