2026 changes to Cyber Essentials and Cyber Essentials Plus – what you need to know

What this blog series will cover

This blog post is based on the official announcement from IASME: Important Update: Changes to Cyber Essentials for April 2026 - IASME - Home but extends to provide guidance on how to best prepare for the changes before certification. 

In this post—and the posts that follow—we’ll take a deep dive into each of the upcoming changes in Cyber Essentials v3.3. You can expect:

• Clear explanations of the revised or new requirements
• The benefits these changes bring
• Practical guidance on preparing for Danzell and the updated audit process
• Tips for ensuring a smooth transition before April 27th, 2026

Whether you’re a security professional, business owner, or IT manager, this series will help you understand exactly what’s changing and how to stay compliant.

A young standard that continues to mature

The Requirements for IT Infrastructure document forms the backbone of Cyber Essentials. It defines the technical controls organisations must implement and maintain to reduce the likelihood of a security incident, particularly those resulting from low‑skill or opportunistic cyberattacks.

Alongside this, the Cyber Essentials Plus Test Specification outlines how auditors will validate that these controls are properly implemented, providing structure and transparency around the Plus assessment process.

Like any cybersecurity standard, Cyber Essentials must evolve to remain effective. Threat actors adapt quickly, technology stacks shift, and organisational risk landscapes change. Regular updates ensure the standard stays relevant, encourages continual improvement, and promotes consistent, secure practices across all certified organisations.

Although it may feel well established, Cyber Essentials is still relatively young. Launched in 2014, it has been revised multiple times as the digital environment has transformed. Each update strengthens the scheme’s integrity: tightening controls, improving guidance, and preventing organisations from taking a “tickbox” approach just to obtain the certificate.

Some updates may feel challenging or even frustrating, but they ultimately exist to ensure that Cyber Essentials remains a credible, respected, and genuinely effective standard for UK organisations.

Multi‑Factor Authentication becomes mandatory for all cloud services

One of the most significant updates in the upcoming Cyber Essentials v3.3 release is the shift to mandatory multi‑factor authentication (MFA) for all cloud services. This change reflects the growing risks associated with relying solely on usernames and passwords – an approach that is increasingly vulnerable to brute‑force attacks, credential stuffing, and poor password hygiene.

MFA adds an essential extra layer of protection by requiring users to verify their identity with something more than just a password. This may include a trusted device, an authenticator app generating one‑time passcodes, hardware tokens, or more modern methods such as passkeys. While email and SMS‑based MFA are also options, they are generally considered less secure and should be used only when stronger alternatives are unavailable.

The NCSC’s and IASMEs decision to enforce stricter MFA requirements is driven by real world data showing how frequently compromised passwords lead to unauthorised access and data breaches. Strengthening MFA across the board is an essential step toward reducing risk and protecting sensitive information in an increasingly cloud heavy environment.

What’s changing in the assessment criteria?

Under the current scheme, failing to enable MFA for cloud service accounts—both standard and administrative roles—is already considered a major non‑compliance. However, the upcoming changes raise the bar even further: MFA will now be treated as an automatic failure if it is available but not enabled.

This applies to any cloud service that offers built in MFA or integrates with your organisation’s existing single sign on (SSO) platform. If MFA exists – paid or not – it must be enabled and enforced across all relevant accounts. The cost argument no longer holds; the potential financial impact of a security incident far outweighs the price of MFA addons or licensing.

The only exception: when MFA truly isn’t available

The one caveat remains unchanged:
If a cloud service does not offer any form of MFA, it can still be listed in response to question A7.15. Assessors will validate that MFA is genuinely unavailable, and if confirmed, no negative marking will be applied.

That said, organisations should seriously reconsider their reliance on such services. Any cloud solution lacking MFA presents a significant – and unnecessary – risk to the business.

Preparing for the change

To get ahead of the new requirements, organisations should begin reviewing all cloud services in use. This process should be supported by effective asset management practices.

Here’s how to prepare:

• Audit all cloud services currently used by employees or departments.
• Document them using your existing asset register or introduce a new system if needed.
• Check MFA availability and contact providers that don’t offer it to confirm whether it's planned.
• Enable MFA immediately for any service that supports it, even if it requires a paid upgrade.
• Review procurement processes to ensure new cloud services are security vetted before adoption.
• Governance: during many CE+ audits, undeclared cloud services are still found, highlighting weak governance. Speak with department heads or use company wide emails to gather information on cloud services being used.
• Consider using a Cloud Access Security Broker (CASB) to identify unapproved or unknown cloud usage across the organisation.

By using these changes as an opportunity to tighten cloud governance, businesses can strengthen their overall security posture and reduce the likelihood of future compliance issues.

Security update management: a stricter 14‑day requirement

The second major change in Cyber Essentials v3.3 focuses on security update management, specifically the requirement to apply critical and high severity updates within 14 days of release. Under the new rules, failing to meet this baseline will result in an automatic failure, removing any flexibility that previously existed under major noncompliance.

This requirement applies to:

• Operating system security updates
• Application security updates
• Firmware updates
• Browser extensions and other add‑ons
• Vulnerabilities that can be fixed through configuration changes, not just patches (these are still considered vulnerability fixes)

If a vendor publishes a fix – whether in the form of a patch or a configuration change – your organisation must deploy it within 14 days.

The growing need for vulnerability scanning

While Cyber Essentials still does not formally require vulnerability scanning, the reality is clear:
Organisations will now need regular vulnerability scans to identify issues quickly enough to meet the 14‑day deadline.

Without scanning, it becomes nearly impossible to spot vulnerabilities or configuration-based fixes in time.

Some practical options include:

• Using vulnerability scanning tools such as Tenable, Qualys, or Rapid7. Ideally, choose a vendor listed as a PCI ASV (Approved Scanning Vendor), as these products are thoroughly vetted for accuracy and reliability.
• Engaging an external provider to perform regular scans or Continuous Security Testing (CST), which can be especially useful for organisations with limited in‑house capability.

Improving patch management processes

To comply with the new requirement, organisations will need to streamline and mature their patching processes. This includes:

• Rapid identification of vulnerabilities
• Testing patches or configuration changes quickly
• Deploying fixes across all relevant systems within 14 days

Automation will play a big role here. Enabling automatic updates where possible reduces manual workload and accelerates deployment. A dedicated patch management solution is strongly recommended, particularly one that supports:

• Automated patching across a broad range of software
• Centralised reporting
• Monitoring of update success/failure
• Integration into existing asset management processes

Before selecting a solution, ensure you understand what software your organisation actually uses. Ideally, at least 80–90% of updates should be automated. Anything that can’t be patched automatically should be tracked and manually addressed within the 14‑day window.

This change ultimately highlights the importance of accurate software asset management.

Common issues revealed during CE+ audits

Many organisations claim to patch within the required timeframe, but CE+ assessments frequently reveal:

• Missing security updates
• Critical and High vulnerabilities still present on devices
• End of life (EOL) software still in use

With the new, stricter criteria, organisations should review and improve these processes before attempting certification.

If you believe the updated requirement will impact your ability to certify, you have options:

1. Perform a gap analysis

A thorough gap analysis identifies weaknesses and gives you time to improve without the pressure of the certification window.

2. Consider “Pathways” for large or enterprise organisations

For larger organisations, the Pathways route offers an alternative approach to Cyber Essentials certification when the 14-day patching requirement cannot be met.

This requires the use of Alternative Technical Controls (ATCs), such as device level security monitoring, and a bespoke penetration test to validate their effectiveness.

Certification isn’t guaranteed, and onboarding is currently paused, but this may expand in the future.

3. Reduce scope through network segmentation

Devices that cannot meet the patching baseline may be removed from scope using secure network segmentation, creating a defined “sub‑set” of the environment that is complaint.

Review patching processes before certification 

For organisations planning to undergo Cyber Essentials Plus, it is highly recommended to review patching processes before certification. The updated test cases introduce additional measures to ensure that patching is actively maintained, not just claimed.

This change reinforces a fundamental truth: keeping software updated is one of the most effective ways to reduce cyber risk. By tightening these requirements, the scheme is pushing organisations toward more consistent, reliable, and secure operational practices.

Stricter verification of update management

One of the most significant changes relates to how assessors verify Update Management compliance, specifically around the 14‑day patching requirement.

This update affects Test Case 2.0 – Authenticated Vulnerability Scanning of Devices and is directly tied to the core requirement to apply critical and high security updates and vulnerability fixes within 14 days.

Historically, if sample devices failed the authenticated scan, assessors provided guidance and asked applicants to remediate, but only a re-scan of the sample devices was performed. However, there was no mandatory follow up verification to confirm that the issues had been fixed across all devices in scope.

From 27 April 2026, this changes.

If the assessor finds that an applicant is not meeting the 14-day patching requirement (evidenced by missing security updates, end of life software, or unaddressed vulnerabilities), the applicant must:

Remediate the issues across all in scope devices—not just the sample set.

1. Complete this remediation within 30 days of receiving the failure.
2. Undergo a second round of sampling, which includes: 
   • the original devices that failed
   • an additional, newly selected sample

If any of the previously identified vulnerabilities—or newly relevant ones—are still present on any of these devices, the applicant will fail CE+, and their self assessment will be revoked. 

Example: how sampling will work

Imagine an organisation with 1,200 Windows 11 25H2 endpoints. Five devices are selected for the initial scan, and all five fail due to various issues such as missing patches or unsupported software.

Under the new rules:

• The assessor provides remediation guidance.
• The organisation must fix the identified issues across all 1,200 endpoints.
• After remediation, the assessor selects another five devices in addition to the original sample.
• If any device – old or new – still shows vulnerabilities that should have been patched within 14 days, this is inclusive of the initial findings and any new ones, the organisation fails the CE+ audit and loses its Cyber Essentials self-assessment certification.

This may sound strict, but it reflects the NCSC’s position: timely patching is one of the most effective controls for reducing cyber risk, and organisations claiming compliance must be able to demonstrate it.

Why this matters

These changes reinforce that Cyber Essentials Plus cannot be treated as a “tick box exercise”. Organisations must ensure they have:

• Strong patching processes backed by by-in from senior management 
• Effective technical solutions for update deployment and vulnerability scanning 
• Clear governance around vulnerability and security update management

If an organisation attests to meeting the 14-day patching requirement but cannot evidence it during CE+ testing, a failing result – and revocation of the self-assessment – is now considered fair and accurate.

Our recommendation

Before applying for Cyber Essentials or CE+, organisations should validate their update and vulnerability management processes. We strongly advise completing an internal review—or engaging a specialist—to confirm readiness.

We offer a targeted gap analysis focused specifically on update and vulnerability management for any organisation considering a Cyber Essentials or CE+ submission.

Prohibition of adjustments to the verified self-assessment post-CE+ testing

A minor procedural change has been introduced to clarify how Cyber Essentials Plus assessments must be scheduled. This is something we at Claranet have always practiced, but it will now be explicitly required across the board:

The Cyber Essentials self-assessment must be fully completed before any CE+ testing can begin.

This means the self-assessment must be:

• Reviewed
• Submitted
• Approved
• Passed
• And the Cyber Essentials certificate issued

all before the CE+ audit starts.

This ensures the assessment follows the correct order of assurance and that CE+ testing accurately reflects an organisation that has already met the foundational Cyber Essentials controls. It also means that no amendments can be made during CE+ which is effectively cheating. 

Changes to the scope conditions

One of the most substantial updates in the upcoming Cyber Essentials Plus (CE+) revision appears on page 6 of the requirements document. Initially, it looked as though only one scoping condition was being amended. However, on closer inspection, two scope conditions have changed, and these adjustments may bring additional systems into scope for many organisations.

Below is a clear before-and-after comparison.

Scope conditions: before vs. proposed Version 3.3

Current CE+ Scope Conditions

Devices are in scope if they:

• can accept incoming network connections from untrustedinternet-connected hosts
• can establish user-initiated outbound connections to devices via the internet
• control the flow of data between any of the above devices and the internet

Proposed CE+ Version 3.3

Devices are in scope if they:

• can accept incoming network connections from internet-connected devices
• can establish outbound connections to devices via the internet
• control the flow of data between any of the above devices and the internet

Two key words have been removed:

• Untrusted (inbound connections) 
• User‑initiated (outbound connections)

Although these are small wording changes, they have meaningful implications for how scope is determined. 

How these changes affect scoping

1. Removal of “untrusted” for inbound connections

Previously, the presence of only trusted inbound connections (e.g., using a firewall whitelist of approved public IPs) allowed certain devices to be de‑scoped, provided they didn’t meet the other conditions.

With the word “untrusted” removed:

• Any device accepting inbound connections from any internet-connected device may now be considered in scope.
• This includes situations where the connection is trusted or whitelisted.

Example:
A server might not accept direct internet traffic but could accept traffic from a proxy server. Because that proxy is itself an internet-connected host, the backend server may now fall within the assessment scope.

2. Removal of “user-initiated” for outbound connections

Previously, devices could be de‑scoped if:

• They didn’t allow users to initiate outbound connections, and
• Their only outbound connections were trusted (e.g., automated update sources).

With “user‑initiated” removed:

• Any outbound internet connection – automated or otherwise – may now bring a device into scope.
• This includes servers that only make trusted or system-level outbound connections.

Example:
A server connecting automatically to a trusted update service would previously have been eligible for de‑scoping. Under the new wording, it is now in scope simply because it establishes an outbound internet connection.

What this means for organisations

The proposed wording makes scoping simpler and more consistent, but it does reduce flexibility for certain environments, especially those that relied on strict internet whitelisting or architectural segmentation to limit exposure.

For most organisations, the impact will be minimal. However:

• Some will need to include additional devices in scope.
• This may increase the number of systems that must be patched, hardened, and monitored to meet CE+ standards.
• It will also enhance overall security posture by ensuring more internet-connected devices receive the same level of scrutiny and protection.

At Claranet, we welcome any changes that simplify the often complex task of scoping security frameworks. While this update may widen the scope for some, we expect it to improve clarity for most and strengthen real world security outcomes.

Changes to documenting scoping, certification, and ongoing compliance

Alongside the major updates, several important adjustments have been made to how scope, certification, and ongoing compliance are documented within the Cyber Essentials scheme. These changes are designed to strengthen clarity, reduce ambiguity, and improve overall trust in the certification process.

Below is a clear breakdown of what’s changing.

1. More flexible and detailed scope descriptions

Organisations will no longer be restricted to the short, condensed scope description traditionally shown on certificates. Instead, they’ll be able to provide a comprehensive and fully detailed description of the assessment scope, which will be accessible through the digital certificate portal.

This allows organisations to more accurately represent how their assessment was structured—and offers greater transparency for customers or partners reviewing their certification.

2. Clear identification of out-of-scope areas

Going forward, organisations must also record any parts of their environment that have been explicitly excluded from the assessment.

These exclusions will not appear publicly, but assessors and scheme administrators will review them. This ensures a more accurate understanding of how the scope was determined and reduces the risk of misunderstandings about what the certification does—and does not—cover.

3. Full disclosure of legal entities in scope

Another change requires organisations to list all legal entities included in the assessment. This includes:

• Legal entity names
• Registered addresses
• Company numbers

These details will be visible on the digital certificate platform, ensuring that anyone checking a certificate can clearly see who the certification applies to, making it particularly useful for organisations operating through multiple subsidiaries.

4. New certificate options for multi-entity organisations

If multiple legal entities sit within a single assessment scope, organisations will now be able to request individual Cyber Essentials certificates for each entity.

These additional certificates will:

• Clearly show that the organisation is part of a larger, overarching assessed scope
• Be issued at a small additional cost

This change benefits organisations that need entity-level documentation for customers, contracts, or supply chain requirements.

Clarifying what “point-in-time” really means

Cyber Essentials has always been described as a point-in-time assessment, but there has been confusion about what that point actually is.

To eliminate misunderstanding, the scheme will now explicitly state that:

• The “point-in-time” refers to the date the Cyber Essentials certificate is issued.

This means that all systems within scope must be:

• Fully supported
• Compliant with the scheme’s controls
• Correctly configured

as of the date printed on the certificate, not the date the assessment was submitted or completed.

Updated declaration and ongoing compliance requirements

The final notable change affects the declaration signed by a board member or director during the Verified Self Assessment (VSA).

This declaration will now include an explicit acknowledgment that:

• The organisation is responsible for maintaining compliance with Cyber Essentials controls for the full duration of the certification period.

This adjustment reinforces that CE certification is not a one day exercise. Organisations must uphold the same security standards throughout the entire year—not only on the day the assessment was conducted.‑day exercise. Organisations must uphold the same security standards throughout the entire year—not only on the day the assessment was conducted.

Wow, that’s a lot to digest

If you’ve made it to the end, great job. These changes may feel daunting at first glance. If you’re unsure how the new requirements might impact your organisation’s ability to achieve or maintain certification, you’re not alone.

To help, we’re offering a free 30 minute consultancy call where we can:

• Review your current alignment with the updated requirements
• Highlight any gaps or areas of concern
• Discuss practical steps to strengthen your environment
• Outline how we can support you in achieving Cyber Essentials or Cyber Essentials Plus certification

We can help you navigate these changes confidently and build a secure, resilient environment that meets the latest standards set out by the NCSC and IASME. 

Or, reach out to us for a quote: https://www.claranet.com/uk/request-cyber-essentials-quote/