Search

Cyber Essentials April 2026 Updates: What This Means for Your Business

Cyber threats continue to evolve and so does the Cyber Essentials scheme. 

While the five core technical controls remain unchanged, the April 2026 updates introduce stricter requirements, clearer scoping rules and tighter assessment processes. These changes are designed to strengthen protection against modern cyber risks and improve transparency across certifications. 

If you are planning to achieve or renew your Cyber Essentials certification in 2026, here is what you need to know and what you should be doing now. 

Why These Changes Matter to You

Each year, the IASME Consortium works with the National Cyber Security Centre (NCSC) to review feedback from audits, breach investigations and certified organisations. 

The April 2026 updates are based on real-world findings, particularly around: 

  • Delayed security updates 
  • Inconsistent implementation of multi-factor authentication 
  • Unclear scoping of infrastructure 
  • Gaps between Cyber Essentials and Cyber Essentials Plus 

From 26 April 2026, new assessment accounts will be assessed against the updated scheme. If you create your assessment account before this date, you will have six months to complete certification under the current version. 

The Key Changes You Need to Prepare For:

1. Multi-Factor Authentication Is Now Mandatory

If you use cloud services, multi-factor authentication will now be required wherever it is available. 

That includes: 

  • Free MFA options 
  • Built-in MFA 
  • Paid MFA features 

If MFA is available for a cloud service you use and you have not enabled it, you will automatically fail the assessment. 

This reflects the growing number of breaches caused by compromised credentials. Strong authentication is now considered essential baseline protection. 

What you should do now: 
Review all cloud platforms in use across your business and confirm MFA is enabled for every account. 

2. 14-Day Patch Rule Becomes Auto-Fail

Two new questions will now trigger automatic failure if not met: 

  • All high-risk or critical updates for operating systems and router and firewall firmware must be installed within 14 days. 
  • All high-risk or critical updates for applications, including associated files and extensions, must also be installed within 14 days. 

If you cannot demonstrate compliance, the assessment will result in automatic failure regardless of performance elsewhere. 

This change addresses one of the most common causes of successful cyber-attacks, delayed patching. 

What you should do now: 
Review your patch management process and ensure critical updates are deployed consistently across all systems within 14 days. 

3. Greater Transparency Around Scope

Defining what is and is not included in your certification has historically caused confusion. The 2026 updates introduce clearer requirements. 

You will now need to: 

  • Provide a detailed scope description 
  • Declare any excluded areas of infrastructure 
  • Specify every legal entity included in scope 
  • Provide company numbers and addresses for those entities 

Customers, partners and stakeholders will have clearer visibility of what your certification covers. 

What you should do now: 
Review how your infrastructure is structured and ensure your scope accurately reflects your operational reality. 

4. “Point in Time” Clarified

Cyber Essentials is a point in time certification. The scheme now clearly defines this as the date your certificate is issued. 

Your systems must be supported and compliant at that date. 

If you are running unsupported software when your certificate is issued, you will not meet the requirements. 

5. Board-Level Accountability Strengthened

The declaration signed during the Verified Self-Assessment process will now explicitly confirm that your organisation commits to maintaining compliance throughout the certification period. 

This reinforces that Cyber Essentials is not a one-off exercise. It is an ongoing responsibility. 

Changes to Cyber Essentials Plus

If you are pursuing Cyber Essentials Plus, the technical audit process is also becoming more robust. 

No More Selective Updating

Some organisations were found to update only the devices selected for testing rather than applying updates across their entire environment. 

From April 2026: 

  • If your initial device sample fails, you must remediate. 
  • During retesting, a new random sample will also be checked. 
  • A second failure may result in revocation of your certificate. 

This ensures compliance is organisation-wide and not limited to test devices. 

No Changes to Self-Assessment After Testing Begins

Once Cyber Essentials Plus testing starts, your Verified Self-Assessment answers cannot be amended. 

Your self-assessment must be: 

  • Complete 
  • Accurate 
  • Finalised before technical testing 

Preparation is now more important than ever. 

What This Means for Your Business

These updates do not introduce new controls, but they do raise the bar for consistency, enforcement and accountability. 

To prepare for April 2026, you should: 

  • Audit your MFA coverage 
  • Tighten patch management timelines 
  • Reassess your certification scope 
  • Ensure unsupported systems are removed or upgraded 
  • Prepare thoroughly before Cyber Essentials Plus testing 

If you are unsure whether your current setup will meet the updated requirements, now is the time to review it. 

Redsquid can help you assess readiness, close compliance gaps and approach certification with confidence.