Cyber Essentials April 2026: What’s Changing?

It’s that time of year again: from April 2026, the Cyber Essentials framework will be updated in a continued effort to reflect the way organisations work today; in the cloud, across multiple devices, and with increasing reliance on identity and access controls.

These updates form part of the annual review carried out by the IASME  and the National Cyber Security Centre (NCSC) and will apply to all new Cyber Essentials assessments created on or after 27 April 2026.

The updates to Cyber Essentials Requirements for IT Infrastructure v3.3 are largely about clarity and consistency, not a wholesale redesign of the scheme, so that’s good news for many organisations. However, there are a few important changes that we need to understand and prepare for.

To recap, Cyber Essentials is a government-backed initiative designed to help organisations protect themselves from common cyber threats. Regularly updated to ensure it remains effective, it provides a set of baseline technical controls aimed at preventing the most common forms of cyber-attacks, such as phishing, malware, and ransomware.

Certification offers businesses a practical way to demonstrate their commitment to cyber security, giving clients, partners, and employees added confidence.

The April 2026 updates

The updated standard, known as Cyber Essentials Requirements for IT Infrastructure v3.3, goes live on 27 April 2026.

• Any assessment account created on or after 27 April 2026 must meet the new requirements

• Once an assessment account is created, the applicant has six months to complete the assessment. Any active assessment accounts set up before April 27th will continue to use the previous version of the assessment questions.

Providing advance notice of changes gives organisations the time they need to understand the updates and prepare without disruption.

What’s new in the Cyber Essentials scheme?

MultiFactor Authentication

MFA has always been part of Cyber Essentials, but April 2026 marks a significant shift in how it is assessed. From April 2026:

• If a cloud service supports MFA, it must be enabled

• This applies whether MFA is:

• Free

• Included as standard

• Available via another service

• Only available through a paid upgrade

• If MFA is available and not enabled, the assessment will automatically fail

This update removes any remaining flexibility around “optional” MFA and reinforces how critical it is in preventing common attacks such as credential phishing and account compromise.

Cloud services are now clearly defined

For the first time, the Cyber Essentials requirements include a formal definition of a cloud service.

A cloud service is defined as an ondemand, scalable service that:

• Is hosted on shared infrastructure

• Is accessible via the internet

• Stores or processes organisational data

• • Is accessed via an account

This change is designed to remove ambiguity and ensure organisations are clear on what should be considered within scope.

Cloud services can’t be excluded from scop

Alongside the new definition, IASME has clarified that cloud services cannot be excluded from a Cyber Essentials assessment.

If a service stores or processes your organisation’s data (e.g., email platforms, identity providers, or SaaS business applications) it is considered in scope for Cyber Essentials and must meet the scheme’s technical requirements.

This reflects the reality of modern IT environments, where cloud services are central to daytoday operations. For most organisations, the cloud isn’t an addon, it’s where collaboration happens, where data lives, and where teams keep their work moving.

Clearer wording, not major new technical requirements

Alongside enhancements such as MFA and cloud scoping, the April 2026 update is largely centred on making the requirements document clearer, more consistent, and easier to navigate. Rather than introducing major new technical demands, the update focuses on refining language, aligning terminology, and improving overall readability.

IASME has confirmed that:

• Most changes are minor wording updates

• The intention is to remove uncertainty and align expectations

• • The updates are not expected to significantly impact compliance for most organisations

Any new or updated wording in the requirements document is clearly highlighted by IASME in bluehere, making it easier for applicants and assessors alike to understand what’s expected.

Changes to marking criteria 

It has also been confirmed that further updates to the assessment questions and marking criteria will follow later this year, with all changes aligned to the revised requirements document. IASME plans to publish these details separately, giving organisations time to understand what’s changing and what it means for their certification journey.

For now, the most practical and immediate step is to review how MFA is being used across your environment and ensure your cloud services are configured appropriately ahead of April 2026. Taking these actions early helps pave the way for a smoother, more confident transition when the new criteria come into effect.

What should organisations do now?

With several months’ notice ahead of the April 2026 launch, there’s time to prepare calmly and confidently. 

Key steps to consider include:

• Reviewing all cloud services in use and confirm where MFA is available

• Enabling MFA consistently across users and services

• Ensuring cloud platforms are included within your Cyber Essentials scope

• Familiarising yourself with the updated definitions and wording

Remember, these actions do more than simply support compliance, they also strengthen your everyday security practices.

Every step you take now helps build a more resilient foundation for your organisation, protecting your people and data long before the April 2026 changes arrive. By approaching this early and thoughtfully, you’re not only preparing for the updated Cyber Essentials requirements, but also reinforcing habits and controls that reduce risk yearround

Final word

The April 2026 Cyber Essentials updates recognise how dramatically everyday IT has shifted. Most organisations now depend on cloud platforms and identity based access far more than traditional networks, so the scheme is evolving to match the way people actually work. By tightening expectations around MFA and offering clearer guidance on what qualifies as a cloud service, IASME and the NCSC are focusing attention on the controls that stop the majority of realworld attacks, without creating unnecessary complexity. Understanding these updates now puts organisations in a strong position to certify smoothly when the new requirements go live.

If you’d like guidance or simply want to talk through what the Cyber Essentials update means for your organisation, our friendly and knowledgeable cyber team is here to help you navigate the changes and guide you confidently through each step. (8)