27 May 2026

Cyber Essentials 2026: the two changes catching enterprises out

Cyber Essentials 2026 didn't change the controls. It tightened how they're checked. Our senior auditors on the two changes catching enterprises out.

Cyber Essentials changed again this year. The updated requirements went live on 27 April 2026, and although there are three significant changes, two of them are where enterprise IT and security teams are getting caught out. We recently ran a webinar with two of our senior security consultants, Saf Shetwan and Charlie Hardwick, walking through exactly those two. Their message was blunt: the requirements themselves are not the hard part. Proving you meet them is.

Here are the takeaways first, with the detail behind each of them below.

The hot takes

  1. The patching rule hasn't changed. The way it is checked has. Fixing high and critical vulnerabilities within 14 days has been a core control since Cyber Essentials began. What is new is the level of assurance. If you declare in the self-assessment that you do not patch within 14 days, that is now an automatic fail, and you cannot progress to Cyber Essentials Plus.
  2. There is no second chance on the second scan. Cyber Essentials Plus now takes a second, randomly selected sample to confirm you have fixed vulnerabilities across your whole estate. If that second sample is not clean, you fail immediately, with no remediation window. In our audit experience, around 95% of organisations struggle with patching when they reach this stage, and it is rarely negligence.
  3. MFA is not the hard part of the cloud change. Visibility is. Multi-factor authentication is now mandatory for cloud services. Turning it on is straightforward. Knowing every cloud service your business actually uses, so you can turn it on everywhere, is not.
  4. Shadow cloud services are everywhere. In one recent audit, a large manufacturing business declared five cloud services. By the time the scope was accurate, the real number was 60.
  5. A wrong scope makes the certificate worthless. You can pass Cyber Essentials Plus and still be badly exposed if half your cloud services were never declared. A certificate built on an incomplete scope is a box ticked, not a risk reduced.

Change one: patching, and the end of "good enough"

What actually changed

The technical control itself is the same as it has always been: fix high and critical vulnerabilities within 14 days. What has changed is how that control is verified, and how much assurance you need to pass.

Previously, the self-assessment was forgiving. If you were not patching within 14 days, you could still pass with a major non-compliance recorded against you. You could then go on to Cyber Essentials Plus and pass there too, because the audit gave you a window to remediate. In effect, you could declare that you were not compliant and still walk away with a certificate.

That gap has now closed. If you state in the self-assessment that you do not patch within 14 days, it is an automatic fail. You cannot even progress to Cyber Essentials Plus.

The Plus audit has tightened as well. Because no assessor can scan hundreds of thousands of devices, Cyber Essentials Plus works on sampling. The old process picked one sample, scanned it, gave you 30 days to fix anything found, then rescanned the same sample. If that sample came back clean, you passed.

The blind spot in that approach was obvious. An organisation could fix the handful of devices in the sample and leave thousands of others vulnerable. And those unpatched devices, often hosting a high-severity vulnerability on a forgotten server, are exactly where real breaches start.

So the process has changed. When the first sample turns up vulnerabilities, you are now asked to fix them across your entire estate. Then a second sample is selected at random to check that you actually did. If that second sample is still showing the same vulnerabilities, it is an automatic failure, with no time to remediate.

"There is no remediation time on the second sample. That means you need really tight control of scanning and patching. Scanning is not a direct requirement of Cyber Essentials, but it is now indirectly necessary to pass it."

Saf Shetwan, Senior Security Consultant at Claranet

Why most enterprises struggle, and it isn't negligence

In our audit experience, around 95% of organisations run into patching problems when they reach the Plus stage. The cause is rarely carelessness. It is usually assumption. Teams assume their patching tool covers everything, that IT has it under control, and that because nothing has gone wrong before, nothing is wrong now.

Four ways patching quietly fails

Patching failures tend to come down to four situations we see again and again.

  1. The scanning tool isn't credible enough for the job. A subscription product or a built-in tool may do some scanning, but it may not be an enterprise-grade vulnerability scanner of the kind IASME expects for a Cyber Essentials Plus audit. It can miss issues that need a configuration or registry change, which leaves a blind spot the organisation never knows about.
  2. The right tool is configured incorrectly. One large organisation used a well-known enterprise scanner, but when we ran our own scan we found vulnerabilities they had not seen. Their report filtering was set up in a way that quietly hid them.
  3. The tool is not testing everything in scope. A scanning appliance might cover every server on the corporate network and still miss home workers and bring-your-own-device machines used for work. Those devices are in scope, and they are often the ones nobody is watching.
  4. Vulnerabilities are found but not properly fixed. Sometimes the scan finds everything correctly, but the fixing falls short. Patches are applied partially, or never validated, so the next scan still turns them up.

We saw all of this come together recently with a large logistics company. They were using an agent-based tool that wasn't suitable for a Cyber Essentials Plus assessment, so we used our own network-based scanning appliance instead. The volume of vulnerabilities it found surprised everyone, the customer included. Some devices had been quietly running with high-severity vulnerabilities for 30, 60 or 90 days, and in some cases years. There was end-of-life software still in use that the organisation no longer realised was in scope.

What good looks like

Patching well is not about owning a scanning tool. It is about the scanning and patching process. You need a full asset inventory, because you cannot fix what you do not know you have. You need every device, server, and application covered, including remote and bring-your-own-device machines. And you need to measure your patching: track it, report on it, and make someone clearly accountable for it.

It is also worth getting the scanning itself right. For Cyber Essentials Plus, your certification body will normally run the scan with tools that meet the NCSC Cyber Essentials Plus Test Specification, using either an agent-based tool or a network-based appliance. If you are running your own scans in between, pick a well-established enterprise vulnerability scanner and make sure it is doing credentialed scans with full CVE-level output, not just surface checks.

"Most organisations don't fail Cyber Essentials Plus because they don't patch. They fail because they think they patch, but they never really validated it. Ask yourself: if you were tested tomorrow, would you pass on fact, or fail on assumption?"

Saf Shetwan, Senior Security Consultant at Claranet

Change two: cloud services, MFA, and the visibility problem

What actually changed

Multi-factor authentication is now mandatory for cloud services. You have to enable it and enforce it for every administrator and every user. That also covers people in your direct sphere of influence, such as contractors and supply chain staff who access your systems. Their devices may sit outside your scope, but the accounts and the authentication do not.

There is one caveat. If a cloud service genuinely does not support MFA, with no native option and no single sign-on integration into a system like Microsoft 365 or Okta, you can still certify by declaring that service on your self-assessment. For everything else, MFA is not optional.

The real problem is shadow cloud services

Here is the important point: the MFA requirement is not the difficult part. Turning MFA on is straightforward. The difficult part is knowing what to turn it on for.

The self-assessment asks you to list every cloud service your organisation uses, not just the ones IT knows about or the ones recorded in a document somewhere. IASME and NCSC define a cloud service as an on-demand, scalable service hosted on shared infrastructure, accessed over the internet, that typically stores or processes organisational data. In plainer terms, ask yourself whether it feels like an application you log into through a browser, running on infrastructure you do not host. If so, it is very likely a cloud service that belongs in your scope.

Most organisations are not breached through the systems they know about. Those tend to be well secured, especially if the business is pursuing Cyber Essentials. The risk sits in the services nobody has visibility of. It might be the tool the marketing team signed up to last night, the HR platform someone trialled last week, or the design software a team adopted in a hurry and never mentioned. We call these shadow cloud services, and they are no different in principle from shadow IT.

From five to 60: a real example

About two weeks before our webinar, we audited a large manufacturing business with a sizeable scope. On their self-assessment they listed five cloud services. For an organisation of that size, five is a number that does not sit right, and all five were IT-related, which is another red flag when you are working through the assessment with the IT team.

The self-assessment does not force a challenge here. If an organisation lists five services, an assessor can accept that as the scope. We applied some due diligence anyway. During the Cyber Essentials Plus device assessments, while users were downloading test files, we took the chance to look at their browser favourites. We found around 15 additional cloud services in daily use, things like LinkedIn Learning, Canva, Workday and Stripe. The scope went from five to 20, and we had to issue a failing certificate, because a certificate against the wrong scope means very little.

We did not leave them there. We shared a simple technique we use in ISO audits: an email to department heads, with the IASME definition of a cloud service attached, asking each department what they actually use. It is not the most sophisticated method, but it is remarkably effective.

Two days before the rescheduled retest, the organisation got in touch. They needed more time, because they had found far more than expected. The final count was 60 cloud services. The business had been running 55 cloud services beyond the five it originally declared, with no governance over most of them. Some had even been added as enterprise apps in Microsoft Entra purely to use single sign-on, with nobody tracking them.

Pause on that for a moment. If we had certified at five services and the organisation had later had an incident involving one of the other 55, the certificate would have counted for nothing.

What good looks like

This is a process problem before it is a technical one. The organisations that struggle are the ones with no process to procure and govern cloud services, and that do not treat a cloud service as an organisational asset.

Anyone who has done ISO 27001 knows that everything starts with asset management. A cloud service should go through the same onboarding as a laptop or a server: leadership approval, a security review, and a compliance check against the standard you are certifying to. Keep a register, even a simple spreadsheet, recording what services exist, who owns them, who approved them, what data they hold, who has access, and when the licences expire.

There is a technical control that helps too. A cloud access security broker (CASB) monitors outbound connections and flags traffic to known cloud services, checking the identity and access settings on them as well. You can run one continuously, or use it for a fixed period of around 30 days to build an accurate register. Many enterprise organisations already have this capability and simply are not managing it well.

One more practical point on the MFA itself. If you rely on conditional access or MFA policies, check them against the NCSC guidance on multi-factor authentication, which is linked from the requirements. A policy that treats a trusted network as the second factor is no longer compliant, because the scope is too broad. A token on a trusted device is fine. The principle to hold onto is that a second factor should be genuinely separate from your password: a code generated on the same machine you are logging in from is not multi-factor authentication.

"The requirement isn't the problem. The problem is visibility of cloud services. Treat them like any other asset, because if you don't know what you are protecting, you cannot protect it."

Charlie Hardwick, Senior Security Consultant at Claranet

Your next steps

If your Cyber Essentials renewal is on the horizon, three practical steps will put you in a far stronger position.

  1. Confirm what you actually need. Check with whoever is asking you to certify whether they require Cyber Essentials or Cyber Essentials Plus. In some public sector contexts it depends on risk. Plus is a significant step up in auditing, so it is worth being certain before you start.
  2. Run your own authenticated scans. Do not wait for the audit to find out where you stand. Scan your estate, confirm your asset register is complete and accurate, and find your gaps while you still have time to close them.
  3. List every cloud service. Go department by department. The email to department heads works well, and a CASB works better still. The aim is a complete, honest picture before an assessor builds one for you.

A note on timing. The updated requirements apply to organisations registering for Cyber Essentials from 27 April 2026 onwards. If you already hold a valid certificate, it remains valid until its expiry date, so your next renewal is the point at which the new requirements will apply to you.

How we can help

Cyber Essentials is a genuinely good standard, and it has earned its reputation by getting tighter every year. It is also harder than it used to be, particularly at enterprise scale. If you would like a second pair of eyes before you certify, we can help with a pre-audit check, a gap analysis, or the audit itself.

Anyone who needs it can have a free 30-minute consultation with one of our senior security consultants to review where you stand against the updated requirements. Get in touch and we will set it up.

References and further reading