The Cyber Essentials scheme evolves every year to reflect the changing threat landscape and lessons learned from real-world incidents. While the five core technical controls remain the same, April 2026 will bring a series of important updates that affect certification requirements, marking criteria, scoping rules, and the Cyber Essentials Plus assessment process. 

If you’re planning to certify or recertify in 2026, these changes deserve close attention. We explain more in this article.

When do the changes to Cyber Essentials take effect? 

The updated requirements will apply to all assessment accounts created after 26 April 2026. Organisations that begin their assessment before this date will have a six-month transition period to complete certification under the current version. The revised Requirements for IT Infrastructure (v3.3) document will form the new baseline.

What Will Now Result in an Automatic Fail?

One of the most significant developments is the expansion of “auto-fail” conditionsmeaning more things now trigger an automatic fail, rather than being assessed case-by-case.

Multi-Factor Authentication (MFA) 

Multi-Factor Authentication is now a firm requirement for all cloud services where it is available. This applies whether MFA is included as standard or offered as a paid option. Failure to enable MFA for eligible cloud services will result in an automatic fail. This move reinforces the central role MFA plays in preventing account compromise and aligns the scheme more closely with guidance from the National Cyber Security Centre.

14-day rule for critical updates 

Two new assessment questions relating to patch management will also carry automatic failure status. Organisations must confirm that high-risk or critical security updates are applied within 14 days of release for: 

  • Operating systems 
  • Router and firewall firmware 
  • Applications (including associated files and extensions) 

Delays in applying critical patches remain one of the most common causes of successful cyber attacks. The updated rules remove ambiguity and set a clear expectation: critical updates must be implemented promptly across the entire in-scope environment.

Clearer scoping and greater transparency 

Defining scope has historically been one of the trickiest parts of Cyber Essentials, particularly for larger or more complex organisations. The April 2026 changes introduce several improvements designed to make scope clearer and more transparent. 

More detailed scope descriptions 

Certificates will no longer be restricted to a short summary of scope. Organisations can provide a fuller description via the digital certificate platform, improving clarity for customers and stakeholders. 

Declaring exclusions 

If parts of your infrastructure are excluded from scope, you will now need to formally describe those exclusions and explain how they are segregated from in-scope systems. While this information will not be publicly visible, it will be required during assessment. 

Legal entity visibility 

Organisations must specify which legal entities are included in scope, including name, address, and company number. It will also be possible to request individual certificates for each legal entity within a wider certified group (for an additional fee). 

Together, these changes aim to reduce ambiguity and prevent misunderstandings about what is and isn’t protected by certification.

Clarifying the “point in time” requirement 

Cyber Essentials has always been described as a “point in time” assessment, but this has sometimes caused confusion. From April 2026, the scheme will explicitly define the “point in time” as the date the certificate is issued. Systems must be supported and compliant at that date, not simply at the time the questionnaire was first completed. 

Stronger accountability through updated declarations 

The declaration signed by a board member or director during the verified self-assessment process will be strengthened. It will now explicitly confirm the organisation’s responsibility to maintain compliance with all Cyber Essentials controls throughout the certification period,  not just on the day of assessment. 

This reinforces that Cyber Essentials is not a one-off exercise but an ongoing commitment. 

Changes to Cyber Essentials Plus 

The April 2026 updates also introduce important refinements to Cyber Essentials Plus (CE+), which includes hands-on technical verification. 

Tighter controls around update testing 

Audits have identified cases where organisations remediated patching issues only on devices selected for sampling during CE+ testing, rather than across the full scope. 

Under the new approach: 

  • If a sampled device fails the update check, the organisation must remediate. 
  • During retesting, assessors will check both the original sample and a new random sample. 
  • A second failure may lead to revocation of the verified self-assessment certificate. 

This change is designed to ensure that patch management is consistently applied across the whole environment, not selectively. 

No post-test questionnaire changes 

Organisations will no longer be allowed to amend their verified self-assessment responses after CE+ testing begins. The self-assessment must be finalised and locked before technical testing starts, preserving the integrity of the process. 

Updates within the Requirements for IT Infrastructure v3.3 

The updated requirements document also introduces clarifications and structural changes: 

  • Clear definition of cloud services – Cloud services are defined as on-demand, scalable services hosted on shared infrastructure and accessed via the internet. Any cloud service storing or processing organisational data must be in scope and cannot be excluded. 
  • Simplified scoping language – Certain legacy terminology around internet connections has been removed to reduce confusion. 
  • Application development guidance – The former “web applications” section is renamed “application development” and references the UK Government Software Security Code of Practice. Commercial off-the-shelf web applications remain in scope by default. 
  • Backups guidance repositioned – Backup expectations are emphasised earlier in the document to underline their importance in incident recovery. 
  • User access control enhancements – Greater recognition of passwordless authentication methods, such as passkeys, as a more secure alternative to traditional passwords. 

In addition, the new Danzell question set is scheduled for publication in February 2026 ahead of the April rollout. 

What should organisations do now? 

If your renewal falls after April 2026, you should: 

  1. Review your use of MFA across all cloud services. 
  2. Assess whether your patch management processes consistently meet the 14-day requirement. 
  3. Revisit your scope definition and document any exclusions clearly. 
  4. Ensure leadership understands the strengthened declaration and ongoing compliance expectations. 
  5. For CE+, confirm that update management is applied uniformly across your entire environment. 

The April 2026 updates don’t introduce new controls, but they do remove grey areas and raise the bar on enforcement. The emphasis is clear: consistent patching, mandatory MFA for cloud services, better scoping transparency, and stronger accountability. 

For organisations that already treat Cyber Essentials as a year-round security baseline rather than a checkbox exercise, these changes should reinforce existing good practice. For others, now is the time to close any gaps before the new requirements take effect. If you’d like to know more about how to get ahead with Cyber Essentials, contact our team who can help.