Cyber Essentials is changing, and if your organisation is planning on getting or renewing your certification in 2026, there are some important changes you’ll need to prepare for.
From 27 April 2026, updates to the Cyber Essentials assessment framework will come into effect. These changes have been introduced following real-world cyber breach investigations and are designed to strengthen the scheme and improve consistency across assessments.
As a Cyber Essentials provider, our role is to help organisations understand what’s changing, what it means, and how to stay compliant without unnecessary disruption. Here’s what you need to know:
What’s Changing, And What’s Staying The Same
The good news first: The five core controls of Cyber Essentials remain unchanged. However, there are now updates to the assessment framework, marking criteria, and Cyber Essentials Plus (CE+) methodology. These changes are designed to enhance clarity, consistency, and the overall integrity of the certification process.
Key Updates:
Stricter Marking Criteria (New and Updated)
As previously announced, Multi-Factor Authentication (MFA) will now be mandatory for all cloud services where it is available. If MFA is not enabled, this will result in an automatic failure of the assessment.
A new change in addition to this, organisations will need to install high-risk or critical security updates for operating systems, routers and firewall firmware and applications within 14 days of release. If these are not installed, this will also cause an ‘auto-fail’.
Improved Scope Definition and Transparency (New)
Another key change is scoping. From April 2026:
- Organisations must provide detailed scope descriptions and are no longer limited by word count. These will also be visible on the digital certification platform
- Organisations must clearly list all legal entities included in the certification
- Any excluded systems or areas must be explained (this information won’t be public)
- Where multiple legal entities are included, individual certificates will be issued for each one ensuring greater transparency
These changes are intended to improve transparency and ensure certifications accurately reflect what is, and isn’t, covered.
Cyber Essentials Plus (CE+): More Rigorous Testing
For organisations pursuing Cyber Essentials Plus, the assessment process will become more thorough:
- The CE+ process will now include stricter verification of update management compliance. If missing updates are found, assessors will re-test affected devices and test a new random sample to ensure fixes have been applied consistently
- Once CE+ testing begins, organisations cannot change their self-assessment answers
This reinforces the importance of accuracy and readiness before CE+ testing starts.
What This Means for Your Organisation
Overall, these changes raise the bar, but they also reduce ambiguity and reward organisations that already follow good security practices.
To prepare, we recommend:
- Reviewing MFA coverage across all cloud services
- Confirming patching timescales meet the new 14-day requirement
- Revisiting your Cyber Essentials scope and legal entity structure
- Preparing thoroughly before starting Cyber Essentials Plus testing
How We Can Help
If you are planning to achieve or renew Cyber Essentials, timing matters. Organisations that contact us and begin the Cyber Essentials process before 27 April 2026 will still be able to certify against the current version of the scheme, rather than the updated requirements coming into effect on 27 April 2026.
This can be particularly helpful if:
- You are close to renewal and want to avoid last-minute changes
- You need more time to roll out MFA or improve patching processes
- You want certainty around requirements during an already busy period
Our expert team of consultants can help your organisation through all aspects of the certification process, including conducting an initial gap analysis, and providing support with the application and awarding certification.
If you’re unsure how these changes affect you, or want help getting ahead of them, get in touch with our team, we’re here to make the process clear, compliant, and as smooth as possible.
Get in touch today:
📧 info@istormsolutions.co.uk
📞 01789 608708
