Cyber Essentials Update 2026

Cyber Essentials, the scheme’s foundational, self-assessed certification, has seen a fairly significant tightening of requirements in some areas.  In particular, changes around multi-factor authentication (MFA), the definition of cloud services, and scoping criteria are likely to have a considerable impact for many organisations.  Below is a breakdown and explanation of each change.

Multi-factor authentication (MFA)

The requirement for MFA is already a part of Cyber Essentials.  However, this latest update introduces a shift in expectations, with MFA now being mandatory wherever it is available.  As such, if a cloud service offers MFA in any form (whether it’s built in, free, paid for, or provided through another service) you have to turn it on.  If you don’t, the assessment will automatically fail.  Under the current guidelines, failing to implement MFA results in a major noncompliance, but the Cyber Essentials assessment can still be passed.

The only exception applies to cloud services that do not offer MFA natively or through an identity provider (IDP).  In these limited cases, you may use the service without enabling MFA, although this is recognised as a poor security practice.  Where MFA is available, however, the expectation is clear: it must be enabled to meet the revised Cyber Essentials requirements, even if this involves purchasing an additional licence or paid feature.

The simplest way to check whether MFA is enabled is simply connecting to the service and seeing whether you are prompted to authenticate.  If you aren’t, it probably isn’t turned on.  During Cyber Essentials Plus assessments, the assessor will effectively need to confirm that you have MFA enabled on all admin and standard user cloud service accounts.  Generally, this will involve the assessor testing that MFA is enabled on all cloud services in your verified self-assessment (VSA), although alternative testing approaches can be applied where single sign on (SSO)/SAML authentication is in place.  In most cases, this can be evidenced by the assessor checking the MFA enforcement settings within the SSO solution used.

Changes to formal definition of cloud services

IASME has provided an updated definition of cloud services, with the aim of removing the ambiguity applicants currently struggle with when assessing what counts as a cloud service and whether the cloud services they use are in scope.  It also reinforces the requirement that cloud services cannot be excluded from scope.  The new definition is as follows:

‘Cloud service – A cloud service is an on-demand, scalable service, hosted on shared infrastructure, and accessible via the internet.  For the purposes of Cyber Essentials a cloud service will be accessed via an account (which may be credentials issued by your organisation, or an email address used for business purposes), and will store or process data for your organisation.

If your organisation’s data or services are hosted on cloud services, these services must be in scope.  Cloud services cannot be excluded from scope.’

If your organisation uses any form of cloud service, you will need to ensure that all services are listed in your response to Question A2.9 of your VSA. It is important to note that this will include social media accounts used for business purposes; these accounts will need to be declared on your VSA and, like all other cloud services, will need to have MFA enabled.  

For the majority of cloud services, your assessors’ checks will involve confirming that you have MFA enabled, with the exception of infrastructure or platform-as-a-service (IaaS or PaaS), where additional checks will be carried out to confirm that you are configuring those services correctly.

Automatic failure questions

With the introduction of the Danzell Question Set, Questions A6.4 and A6.5 have been reclassified as automatic-failure questions, both of which relate to the 14-day patching requirements for high-risk and critical security updates.

Previously, failing to patch within 14 days would constitute major non-compliances, and organisations can receive up to two major non-compliances and still pass the assessment.  This created edge cases where organisations were achieving certification despite not applying critical security updates promptly.  By reclassifying these questions, the scheme reinforces the requirement to apply critical and high-risk patches within the set timeframe.  This coincides with the changes to the CE+ assessment sampling requirements (see the ‘Update management compliance – second sampling’ section for more details).

Stricter scoping criteria

The latest updates introduce tighter scoping rules, affecting how organisations determine whether their Cyber Essentials certification applies to the whole organisation or only part of it.  Previously, a company within a wider group could still achieve a ‘whole organisation’ certification even if other group entities were not included.  Under the new rules, if you are part of a group and wish to certify only one company as a ‘whole organisation’, all of the following conditions must be met, and technical scope verification must not reveal any contradictions:

• Different legal responsibility: No shared director or board-level authority able to sign-off the assessment
• Different network infrastructure: No shared networks or infrastructure components
• Separate legal entities: Distinct companies with no shared governance or oversight.

IASME has also introduced new certificate types, allowing you to request individual Cyber Essentials certificates for each legal entity included within a larger assessment scope.  So, if your organisation is part of a group, every company covered by the assessment can receive its own certificate, displaying its specific name while still indicating that it forms part of the wider scope.

The new ‘Requirements for IT Infrastructure’ document updates another aspect around scoping that has previously been considered ambiguous.  The previous document is worded in such a way that there is a grey area around untrusted internet-connected hosts and user-initiated outbound connections to devices via the internet.  The updates look to provide clarity on which devices are in scope by removing complex wording and simplifying these statements.

Any organisations that have previously removed devices from scope because they were classed as not establishing user-initiated outbound connections, or because the device they accepted internet connections from was 'trusted', will no longer be able to descope these.  The incoming guidelines confirm that the requirements apply to all devices that meet the following criteria:

• Can accept incoming network connections from internet-connected devices (e.g., where firewall rules allow inbound access)
• Can establish outbound connections to devices via the internet (i.e., any device that is able to initiate connections externally)
• Control the flow of data between any of the above devices and the internet (e.g., boundary devices such as firewalls or routers that manage outbound or inbound traffic).

In addition, organisations are now required to justify all out-of-scope networks and provide clear descriptions and reasons for exclusion, with the Danzell Question Set introducing several new questions that request more information around your certification scope.  This information is separate from the main description shown on your certificate and will not be made public, so there is no risk of revealing information that could compromise your organisation.  However, if you do want to provide a more detailed scope description on your certificate, you may now do so as the previous character limit has been lifted.

Finally, all organisations with test and development environments will no longer be able to obtain a ‘whole organisation’ certification, as these networks must be formally descoped.  This is because most test and development networks run or develop insecure products that may be vulnerable to attack.  There will be caveats to this, such as if your test environment is testing the latest Windows patch on devices, for example, as this is technically a supported piece of software.  However, if you are developing commercial software, it will be unsupported at the time of development and therefore cannot be included within the scope of a Cyber Essentials certificate.

Web applications

The guidance for web applications has been updated and now refers to the UK Government’s Software Security Code of Practice rather than OWASP, and has also been renamed to ‘Application Development’ rather than web applications.  The Software Security Code of Practice consists of 14 principles, and software vendors are expected to implement these to establish a consistent baseline of software security and resilience across the market.

It should be noted that this is only guidance, and the requirements for what is in scope of Cyber Essentials has not changed.  Apps developed in-house and bespoke or custom components of web applications that are not publicly available commercial web applications are still out of scope.

User access control (UAC)

This section has been updated to increase emphasis on passwordless authentication and MFA with the promotion of passkeys, security keys, biometrics, etc.  Passwordless methods are now being treated as equivalent to MFA (depending on how they’re configured), reflecting a shift toward modern, more secure authentication.  The changes also include a paragraph detailing common examples of passwordless authentication.  Any passwordless solutions used must be FIDO2 compliant.

Guidance on backups

Nothing has changed in the wording of this section, but it has been repositioned within the guidance document to emphasise the importance of having backups in place, as this enables organisations to recover quickly in the event of a cyber incident.  Whilst backing up organisational data is still not a mandatory requirement of Cyber Essentials, recent high-profile cyber attacks have demonstrated just how devastating the lack of backups can be.

The scheme’s audited certification, Cyber Essentials Plus, has also been adjusted.  Although most of the changes are relatively minor, there is a potentially extremely impactful update around the verification of update management compliance.  

No major non-compliances allowed for Cyber Essentials Plus

If your organisation is seeking Cyber Essentials Plus certification, you will no longer be permitted any major non-compliances in your Cyber Essentials VSA.  While you can still pass the VSA itself with up to two major non-compliances, as was already the case, you will now not be able to proceed with the CE+ assessment if any major non-compliances are present.  

Update management compliance – second sampling

This is perhaps the most significant change that has been made to CE+.  Currently, if the CE+ vulnerability scan identifies issues, you have 30 days to remediate, pass a retest and have your certificate issued to complete the CE+ assessment.  So, under the current requirements, essentially the only way to fail the CE+ (assuming every other element is compliant) is to refuse to rectify an issue ahead of your retest.  

However, the new rules dictate that if the first sample set fails the vulnerability scan (e.g., breaks the 14-day patching rule), your assessor will retest the original sample, as well as a second sample that exactly replicates the previous test, but with new devices.  None of the devices in the first sample can be used in the second sample.  

For example, if the first scan identifies that Google Chrome is out of date outside the 14-day window, this would technically be a fail of the CE+ at this stage.  You will then need to patch the Chrome vulnerability across the entire IT estate, before the second sample is selected.  

Following this, if both samples are clear, you will pass the assessment.  However, if the second sample identifies any vulnerabilities that are also present in the first, you will fail the CE+ and your CE certificate will be revoked.

This has been introduced to ensure organisations apply patches to identified vulnerabilities across the entire IT estate, rather than just to the devices they know will be included in the retest.  While this has always been the requirement and assumption, there have been instances of organisations only applying patches to devices included in the sample, rather than across the entire CE+ scope.  

Clarification of point-in-time assessment

IASME has clarified that, for both CE and CE+, certification is based on the date your certificate is issued, not the submission date of your VSA or audit.  While this has always been the case, there was previously some confusion around what the term ‘point-in-time’ referred to.  As such, you will need to ensure that your systems are supported at the date of certification, not just when your assessment is submitted.  

No adjusting CE VSA responses after CE+ begins

Organisations are now explicitly prohibited from changing their CE VSA responses once CE+ testing has commenced.  The terms and conditions of the scheme will be updated to reflect this.

There are a number of steps you can take to prepare for compliance against the updated version of the scheme, maintain that compliance on an ongoing basis and, crucially, ensure your organisation is in the best position possible to protect against cyber attacks.  

You need to consistently keep your environment patched and up to date; however, you should also be checking that patches are being applied correctly, and nothing is being missed.  As such, it is always beneficial to implement some form of regular vulnerability scanning process, or engage a third party to perform these scans for you outside of the assessment cycle.  If you are managing this internally, you need to ensure the individual responsible is adequately trained.

Enforcing MFA everywhere is essential, both for strengthening security and because noncompliance with MFA requirements now constitutes an automatic fail.  Asset management should be improved so you know what you own and what needs protecting; with effective asset management in place, you should also implement reliable backups to support recovery after incidents.

The latest update to the Cyber Essentials requirements reflects IASME’s ongoing commitment to ensuring the scheme remains relevant and effective in the face of evolving cyber threats.  With the new requirements coming into effect imminently, now is the time to identify gaps and plan any necessary adjustments.  Staying ahead of these updates not only allows you to maintain compliance, but also strengthen your organisation’s overall security posture.