- A revised Cyber Essentials question set will be introduced in 2026, requiring additional information about the organisation being assessed.
- Organisations must apply critical security updates within 14 days across operating systems, applications, and network device firmware.
- Multi-factor authentication (MFA) will be mandatory for cloud services that support it, with non-compliance resulting in automatic failure.
- If update issues are discovered during a Cyber Essentials Plus assessment, further testing will now be required.
Organisations that rely on Cyber Essentials certification – whether for contracts, insurance requirements, or security assurance – should begin reviewing their compliance position well ahead of the April 2026 deadline.
What’s changing and why
Cyber Essentials focuses on protecting organisations from the most common cyber attacks. To keep the scheme relevant, its requirements and assessment questions are regularly reviewed and updated.
The April 2026 update introduces several important changes aimed at tightening enforcement, embracing the latest proven cyber tools, and removing grey areas that have previously caused confusion among businesses.
Some of the biggest changes include:
1. A new question set
Each version of the Cyber Essentials questionnaire is given a unique name, allowing assessors and applicants to distinguish between versions over time. The latest update introduces a new question set, Danzell, replacing the previous Willow version used in earlier assessments.
Many of the additional questions are administrative in nature, but some are more noteworthy. Organisations will now be asked to clarify how remote workers connect to organisational systems and data, and state whether any networks or systems have been explicitly excluded from the scope of the assessment. This is in direct contrast to the former question, which asked only for networks and systems in scope.
2. Mandatory MFA for cloud services
Multi-factor authentication becomes a firm requirement under the 2026 Cyber Essentials update. Where a cloud platform provides MFA, organisations must use it. The scheme does not distinguish between free features, standard functionality, or paid upgrades. If MFA is available and not enabled, certification will not be granted.
This reflects a simple reality: password-only authentication is no longer considered sufficient protection for internet-facing services. Most modern cloud platforms already provide MFA capabilities. The requirement, therefore, focuses less on new technology and more on ensuring that it’s consistently enabled.
3. The 14-day patch rule
The updated Cyber Essentials requirements also introduce a stricter rule on security updates. High-risk or critical patches must now be installed within 14 days of release. This applies across operating systems, router and firewall firmware, and applications, including associated software components.
The change reflects how quickly attackers now exploit newly discovered vulnerabilities. Delayed patching significantly increases the likelihood that weaknesses will be targeted before they are addressed.
4. Stricter retesting
The Cyber Essentials Plus (CE+) certification includes independent technical testing of devices and systems. The 2026 update introduces a stricter retesting policy when update failures are discovered.
Previously, some organisations resolved issues only on the specific device where the failure was identified, allowing for the rectified devices to pass inspection even though similar vulnerabilities remained elsewhere in the environment.
The revised process addresses this loophole. If a random sample of devices fails the checks during a CE+ assessment, the retest will examine both the original sample and a new random sample. The aim is to ensure that vulnerabilities are resolved across the entire environment.
5. Greater transparency around scope
Another change focuses on how organisations define the scope of their Cyber Essentials assessment. Businesses must clearly declare all relevant legal entities involved in the certification, including those operating under separate governance structures that do not share the same network infrastructure. Where parts of an organisation are excluded from the assessment, those exclusions must be justified.
These requirements aim to prevent organisations from limiting assessments to only smaller parts of their environment while leaving other systems unexamined.
6. Clarifying “point-in-time” compliance
Cyber Essentials has long been described as a point-in-time certification, but the term has sometimes caused confusion among businesses. The updated scheme now clarifies that the relevant point in time is the date the certificate is issued. Therefore, organisations must ensure their systems meet the requirements on that specific date.
Your 90-day action plan
Organisations planning to renew or achieve Cyber Essentials certification should begin preparing well in advance. Taking a structured approach over the next three months can greatly reduce the likelihood of failing the assessment.
1. Audit MFA coverage: Identify all cloud services used by the organisation, and confirm that multi-factor authentication is enabled for each service that supports it.
2. Review patch management policies: Confirm that critical security updates are applied within the required 14-day window.
3. Define the assessment scope: Establish which legal entities, locations, and systems will be included within the certification.
4. Maintain evidence of vulnerability management: Assessors may request proof that vulnerabilities are consistently identified and resolved.
The Reliable approach
For many organisations, preparing for Cyber Essentials can be difficult without dedicated cybersecurity expertise.
Reliable supports businesses throughout the certification process, from initial readiness assessments through to ongoing compliance management.
Our approach focuses on practical preparation rather than last-minute fixes. We help organisations review MFA coverage, strengthen patch management processes, define appropriate assessment scope, and identify vulnerabilities before the official assessment.
Through continuous monitoring and regular security testing, organisations can maintain a consistent level of readiness rather than scrambling to prepare when certification renewal approaches.
Book a CE 2026 Readiness Review
The April 2026 changes reinforce the importance of strong cybersecurity fundamentals. Organisations that begin preparation early will find the transition far smoother than those attempting to address the requirements shortly before certification.
A Cyber Essentials 2026 Readiness Review provides a clear view of how your current environment compares with the updated requirements. We’ll assess your systems, identify potential issues during certification, and provide practical guidance on resolving them.
Book your CE 2026 Readiness Review today and ensure your organisation is ready for the new Cyber Essentials standard.
