From 27 April 2026, the Cyber Essentials scheme will introduce updated requirements under the new Requirements for IT Infrastructure v3.3. These changes will apply to all new Cyber Essentials and Cyber Essentials Plus assessments created on or after that date.
Assessment accounts created before 27 April 2026 will continue under the current version of the standard.
The updates are being implemented by IASME Consortium, the delivery partner of the National Cyber Security Centre. Organisations will also complete their self-assessment using a new 2026 question set known as “Danzell”.
While described as refinements, these updates tighten baseline security requirements in ways that will affect certification readiness, particularly in the areas of identity security, cloud governance, vulnerability management and audit evidence.
As an IASME Certification Body supporting hundreds of organisations through Cyber Essentials and Cyber Essentials Plus each year, we want to ensure our customers understand exactly what is changing and how to prepare.
You can download the official Cyber Essentials: Requirements for IT Infrastructure v3.3 document here
What Is Changing in April 2026
1. Multi-Factor Authentication Becomes Mandatory Wherever Available
The most significant change is the strengthening of multi-factor authentication requirements.
Under v3.3:
- If a cloud service offers MFA, it must be enabled using an NCSC-approved method
- Failure to enable available MFA will result in automatic assessment failure
Organisations can no longer justify selective or partial MFA adoption where the capability already exists. This reflects the continued rise in credential-based attacks and the central role of identity protection in modern security models.
You will need full visibility of all systems and cloud services that support MFA and ensure it is consistently enforced.
2. Cloud Services Cannot Be Excluded from Scope
For the first time, Cyber Essentials formally defines a cloud service. Any on-demand service accessed over the internet that stores or processes organisational data must be included within scope.
This includes:
- SaaS platforms
- Collaboration suites such as Microsoft 365 and Google Workspace
- IaaS and PaaS environments
- Line-of-business cloud applications
Responsibility remains with your organisation, even where infrastructure is managed by a third-party provider.
If your business uses it and accesses it using company accounts or email addresses, it is in scope.
3. Stricter Device and Network Scoping Rules
Terminology such as “untrusted network” has been removed.
Under v3.3:
- All devices capable of establishing or accepting internet connections are considered in scope
- Any exclusions must be clearly documented and technically justified
- Legal entities included within certification must be explicitly identified
The updated framework also removes previous word limits in scoping descriptions, meaning clearer and more detailed explanations are now expected.
Organisations without mature asset inventories, network diagrams or segregation controls may face delays or clarification requests during assessment.
4. Security Updates Must Be Applied Within 14 Days
The updated standard strengthens requirements around vulnerability management.
Organisations must install high-risk or critical security updates within 14 days of release for:
- Operating systems
- Applications
- Firewalls
- Routers
Failure to meet this timeline will result in automatic assessment failure.
This change means patch management processes must be consistent, documented and operationally reliable across the estate.
5. Backup Guidance Elevated
Although backups are not one of the five core technical controls, the guidance now appears earlier in the standard to emphasise its importance.
Organisations are expected to treat recovery capability as a core resilience control. Backup frequency, retention, separation and restoration testing should all be properly documented.
6. Application Development Replaces “Web Applications”
The former “Web applications” section is now titled “Application development”. This aligns with the UK Government’s Software Security Code of Practice and reinforces secure-by-design principles throughout the development lifecycle.
Organisations developing internal or customer-facing applications should review governance and secure development practices against the updated expectations.
7. Passwordless Authentication Recognised
The updated requirements explicitly recognise passwordless authentication methods, including:
- FIDO2 authenticators
- Passkeys
- Biometrics
- Hardware tokens
While not mandatory, this signals a continued shift towards stronger identity assurance models.
Changes to Cyber Essentials Plus Audit Structure
There is also an important update to Cyber Essentials Plus remediation testing.
Previously, where vulnerabilities were identified during internal vulnerability scanning of a sampled device set, organisations had 30 days to remediate, and fixes were verified against the original sample.
From April 2026:
- If ‘Critical’ or ‘High’ vulnerabilities are identified during the internal scanning stage, the affected devices must be retested.
- An additional sample set of devices will be selected, to further validate fixes across the scoped estate.
- Assessors will verify that fixes have been applied across the wider estate
This change ensures remediation is applied consistently across the full environment, not just to the initially tested devices.
For organisations preparing for Cyber Essentials Plus, estate-wide remediation discipline is now more critical than ever.
What This Means for Your Organisation
The April 2026 update raises expectations across four key areas:
Identity Security
MFA must be universally enforced wherever available. Shadow IT and unmanaged SaaS adoption present increased risk.
Cloud Governance
All cloud services are now unquestionably in scope. Organisations must clearly define ownership, responsibility and configuration standards.
Patch Management Discipline
The 14-day update requirement demands structured, monitored and auditable patching processes. This must be apparent across the entire estate, and not just the sample selected by an Assessor.
Documentation and Evidence
Clearer scope definitions and stronger audit scrutiny means informal processes are unlikely to withstand assessment challenge.
Organisations that prepare early will experience smoother certification and reduced remediation pressure.
“The 2026 update is about clarity and consistency. Cyber Essentials has always focused on protecting organisations from the most common attacks, and these changes ensure the standard keeps pace with how businesses operate today. The important step now is preparation. Understanding what has changed and reviewing your environment early will make the transition straightforward. As an IASME Certification Body, we are here to support our customers throughout this process. If you have any questions about the new requirements, our team is ready to help.”
How We Support Our Customers
We support our clients across the full Cyber Essentials and Cyber Essentials Plus standards and are specialists in the practical application of the requirements.
Our role is not simply to assess, but to provide clear, accurate guidance aligned to the official standard and ensure customers understand exactly what is expected.
The April 2026 updates represent a meaningful tightening of the baseline standard. With the right preparation, they should not create barriers to certification, but they do require structured and proactive planning.
Questions?
If your renewal or new certification falls after April 2026, now is the right time to review your readiness and ensure there are no surprises when your assessment account is created under the new Danzell question set.
We are here to guide you through the transition with clarity and confidence.
If you have questions about an upcoming or ongoing certification, please contact your Account Manager, who will be able to support you directly.
We can also provide a clear, side-by-side comparison of the current and 2026 Danzell question sets if required, so you can understand exactly how the requirements differ.
