On 27th April 2026, Cyber Essentials is changing. From this date, IASME, the National Cyber Security Centre’s Cyber Essentials Partner, will implement changes through the revised Requirements for IT Infrastructure v3.3, the technical standard that underpins Cyber Essentials assessments.
Organisations will also be required to complete their self-assessment using a new 2026 question set, named Danzell.
The Cyber Essentials scheme updates annually to ensure it remains effective against evolving threats. Although IASME, has positioned this year’s updates as refinements, the changes tighten the requirements in ways that will materially affect how organisations approach certification, identity security and cloud governance.
Strengthened multi-factor authentication (MFA) requirements, the mandatory inclusion of all cloud services, clearer scoping definitions and stricter enforcement of security updates all reflect the continued shift towards identity-centric security and operational resilience.
This article explains what is changing, why it matters, and how organisations can prepare effectively for Cyber Essentials certification ahead of the April 2026 updates.
What Is Changing in April 2026?
The April 2026 update removes ambiguity and strengthens baseline security expectations across identity, cloud and resilience.
1. Multi-Factor Authentication Becomes Non-Negotiable
The most significant change in the April 2026 Cyber Essentials Update is the strengthening of multi-factor authentication (MFA) requirements.
From v3.3 onwards:
- If a cloud service offers MFA, organisations must enable it, using one of the methods approved by the NCSC.
- Failure to enable available MFA will result in an automatic assessment fail rather than conditional remediation.
In simple terms, MFA is no longer a recommendation. The new standard makes it a strict compliance requirement. This reflects the continued rise of credential-based attacks and the central role of identity security in modern threat models.
As a result, organisations can no longer justify partial or selective MFA adoption where the capability already exists.
2. Cloud Services Must Always Be in Scope
For the first time, Cyber Essentials introduces a formal definition of a cloud service. Any on-demand, scalable service running on shared infrastructure and accessed over the internet cannot be excluded from scope. Importantly, responsibility for meeting Cyber Essentials requirements remains with the organisation, even when services are provided by third-party cloud vendors.
This includes:
- SaaS platforms
- Collaboration suites such as Microsoft 365 and Google Workspace
- IaaS and PaaS environments
- Specialist cloud-hosted business systems
This change removes ambiguity around what qualifies as a cloud service. Organisations must include any service that stores or processes organisational data and is accessed using a company-issued account or business email address within scope.
3. Scope Definitions for Devices and Connectivity Are Tightened
IASME has removed terminology such as “untrusted” or “user-initiated” internet connections.
Under v3.3:
All devices capable of establishing or accepting internet connections are in scope.
Where organisations exclude network segments, they must provide clear justification and evidence of effective segregation.
This change is designed to reduce interpretation risk during assessments and improve consistency across certifications.
4. Backup Guidance Receives Greater Emphasis
Backup guidance now appears earlier in the technical document. This change highlights recovery as a core cyber-resilience control rather than a secondary safeguard.
The update reflects real-world incidents, where the ability to restore systems quickly often determines the operational impact of an attack. Organisations should treat backups as an essential security capability, not simply a compliance requirement.
5. User Access Control Updated to Reflect Passwordless Authentication
Cyber Essentials v3.3 explicitly recognises passwordless authentication methods, including:
- FIDO2 authenticators
- Passkeys
- Biometrics
- Hardware tokens
This aligns the baseline with modern identity security practices. While passwordless authentication is not mandatory, its inclusion signals a gradual shift in expectations as authentication standards continue to evolve.
6. “Web Applications” Reframed as “Application Development”
The former “web applications” section has been reframed as “application development”. This aligns Cyber Essentials with the UK Government’s Software Security Code of Practice and reinforces secure-by-design principles.
The update places greater emphasis on governance and accountability throughout the development lifecycle.
7. Vulnerability Fixes & Security Updates
The updated guidance also strengthens expectations around security updates. Organisations must now install high-risk or critical security updates for operating systems, applications, routers and firewalls within 14 days of release in all instances.
Failure to meet these timelines will result in automatic assessment failure.
What This Means for Your Organisation
The April 2026 update raises expectations across identity, cloud and operational resilience.
Stronger Identity Controls Are No Longer Optional
With MFA mandatory wherever it is available, organisations need a complete and accurate view of how authentication is enforced across their cloud services. In practice, this often exposes gaps in SaaS governance and shadow IT.
Cloud Environments Will See Increased Audit Scrutiny
The explicit inclusion of cloud services removes the option to exclude key workloads from Cyber Essentials certification assessments.
For many organisations, this change requires closer coordination between IT, security and procurement teams to ensure ownership and responsibility are clearly defined.
Documentation and Evidence Expectations Will Increase
Organisations will need to provide more detailed scope descriptions during Cyber Essentials certification. The updated framework removes previous word limits and requires businesses to clearly identify all legal entities included within the certification.
Clearer scope boundaries and mandatory explanations for exclusions significantly raise the standard of evidence organisations must meet during Cyber Essentials certification assessments.
Organisations without mature asset management, network documentation and segregation controls face a higher risk of delay, challenge or rework during assessment.
Where evidence is incomplete or controls are inconsistently applied, organisations may need to remediate issues before certification can proceed.
Preparation Needs to Start Early
Assessment accounts created before 27 April 2026 will continue under the current version of the standard. Accounts created after this date will follow the updated Requirements for IT Infrastructure v3.3, alongside the associated Danzell question.
Organisations should not treat this transition window as an opportunity to delay preparation.
Complex environments, legacy systems and decentralised cloud adoption take time to audit and remediate. Early preparation reduces risk, cost and disruption when preparing for Cyber Essentials certification.
Overall, the April 2026 updates signal a continued move towards clearer, less negotiable baseline controls. Organisations that rely on informal processes or legacy assumptions are more likely to experience assessment friction.
Strategic Insight: What Businesses Should Do Now
1. Conduct a Full Cloud Service Audit
Identify every cloud service used across the organisation, including those adopted independently by teams. Confirm MFA availability, configuration and usage.
2. Strengthen Identity and Access Management
Move beyond minimum MFA requirements towards a unified identity strategy. Enforce MFA consistently and review session policies, conditional access and privilege management.
3. Verify and Document Segregation
Where parts of the environment sit outside scope, ensure segregation is technically sound, clearly documented and defensible during assessment.
4. Re-evaluate Backup and Recovery Processes
Test restoration workflows, confirm backup security, and document frequency, retention and separation. Treat recovery as a first-class security control.
5. Improve Asset and Device Inventories
A reliable inventory is essential under the revised connectivity definitions. Automated discovery tools can help where environments are dynamic.
6. Plan Your Certification Timeline
Avoid scheduling Cyber Essentials certification or renewal close to April 2026. Early preparation delivers smoother assessments and stronger outcomes.
Summary – What’s Changing
Cyber Essentials v3.3 launches in April 2026, accompanied by the updated assessment question set (Danzell)
MFA must be enabled wherever available
Cloud services cannot be excluded from scope
Device and network scoping is clarified
Passwordless authentication is formally recognised
Backup guidance is elevated
Application development aligns with national standards
Organisations that prepare early will achieve smoother certification and a stronger security posture.
Conclusion
The April 2026 Cyber Essentials Update represents a meaningful evolution of the scheme. By tightening MFA requirements, clarifying scope definitions and elevating recovery expectations, the Requirements for IT Infrastructure v3.3 set a higher baseline that organisations can no longer ignore.
The updates signal a continued move towards clearer, less negotiable baseline controls. Organisations that rely on informal processes or delayed update cycles are more likely to experience assessment friction.
This is not simply a compliance exercise. It is an opportunity to strengthen identity security, improve cloud governance and reduce operational risk.
Article by Assure Technical
07 Apr 2026 | Industry Articles
On 27th April 2026, Cyber Essentials is changing. From this date, IASME, the National Cyber Security...
05 Mar 2026 | Industry Articles
By Jennifer Long, BetaDen's Advisory Board Member, and CEO of IceBlue
19 Nov 2025 | Industry Articles
The UK Cyber Resilience Bill 2025 had it’s first reading in Parliament on 12th November 2025, and...