Cyber Essentials remains the UK government’s recommended minimum cyber security standard for organisations of all sizes. The April 2026 update leaves the scheme’s five technical controls intact, while tightening parts of the assessment and narrowing the room for vague scoping.
According to IASME’s latest scheme update, the new requirements apply to assessment accounts created after 27 April 2026. The changes centre on multi-factor authentication, patching, cloud services, and the way organisations define the systems and services covered by certification.
What’s new in the Cyber Essentials update —
The headline change is in the marking criteria. Where a cloud service offers multi-factor authentication, an organisation can now automatically fail if MFA is not enabled. IASME has also confirmed that two patching questions will now carry the same result if high-risk or critical security updates are not installed within 14 days.
The updated NCSC requirements document also adds a formal definition of cloud services, states that cloud services cannot be excluded from scope, and expands the language around passwordless authentication. The framework remains recognisable. The assessment is simply tighter.
What will now trigger a fail —
MFA is the clearest pressure point. If a cloud platform supports it, businesses now need it switched on. That applies whether the feature is included as standard, provided through another service, or available only as a paid option.
Dominic Carroll, Director Portfolio at e2e-assure, says: “I welcome the annual updates to the Cyber Essentials marking criteria. This year’s change to make MFA a mandatory requirement to pass is long overdue. This won’t impact most organisations that are taking their cyber security seriously, as this has been basic practise for some time. But for those who are lagging behind, these are the kinds of basics we need to ensure are in place across the board.”
Patching is the second major compliance test. High-risk or critical vulnerability fixes for operating systems, applications, and router or firewall firmware must be applied within 14 days of release. Carroll says: “Additionally, increasing the focus on the timely installation of high-risk or critical security updates and vulnerability fixes is great to see. However, I still feel that 14 days is too long a window for high-risk critical security updates.”
How cloud services and remote working fit into scope —
Remote working and bring-your-own-device models were already part of Cyber Essentials before this update. Version 3.3 sharpens the way scope is described, particularly around cloud services, internet-connected systems, legal entities, and excluded infrastructure.
The revised wording makes it harder to present certification as a narrow snapshot if an organisation’s working environment is broader. SaaS tools, identity platforms, employee-owned devices, company laptops used off site, and services storing company data all need closer attention when a business prepares its assessment.
IASME has also introduced changes to certification wording, including a requirement for more detailed descriptions of what sits in scope and out of scope. That gives assessors and customers a clearer view of what the certification actually covers.
Do companies need passkeys now —
No. The updated requirements explicitly reference passkeys and FIDO2 authenticators in the passwordless authentication section, but Cyber Essentials does not require organisations to adopt passkeys in order to certify.
Niall McConachie, regional director for the UK and Ireland at Yubico, says: “The NCSC has used this update as an opportunity to name passkeys as the preferred authentication approach moving forwards. For businesses to ensure they are prepared for this, they should deploy hardware-backed passkeys, like security keys, across their infrastructure.”
The immediate requirement is still MFA where it is available. The newer wording signals stronger support for phishing-resistant, passwordless methods, rather than a mandatory shift to passkeys today.
What to check before renewal —
Businesses preparing to renew, or certify for the first time, should start with four checks. First, confirm MFA is enabled across every cloud service that supports it. Second, review patching workflows against the 14-day rule for high-risk or critical fixes. Third, check that devices, services, and legal entities are described accurately in scope. Fourth, make sure any exclusions can be explained clearly.
The Cyber Security Breaches Survey 2025 found that 43% of UK businesses and 30% of charities identified a cyber breach or attack in the previous 12 months, with phishing still the most common attack type.
The April changes raise the bar on controls that many organisations already present as standard. MFA, patching discipline, and a credible definition of scope now sit closer to the centre of certification, with less room for partial adoption or loose interpretation.
You must be logged in to post a comment.