By Fentons IT – Your trusted IT security company in Chichester

Cyber Essentials is undergoing important updates in April 2026, designed to better protect UK organisations against modern cyber threats. While the five core controls remain the same, the new requirements introduce stricter enforcement, clearer definitions, and a stronger focus on identity and cloud security. These changes affect all organisations completing certification or renewal after 27 April 2026.

Cyber Essentials 2026 Changes

Below is a simple, jargon‑free breakdown of the key updates—and what they mean for your business.

Why is Cyber Essentials Changing?

The National Cyber Security Centre (NCSC) and IASME review the scheme annually to keep pace with evolving cyber threats and real‑world security incidents. Updates for 2026 aim to remove ambiguity, strengthen core security practices, and ensure organisations aren’t just “checking boxes” but genuinely improving cyber resilience.

 

1. Multi‑Factor Authentication (MFA) Becomes Strictly Mandatory

One of the most significant changes: MFA must be enabled on all cloud services where available—no exceptions.

 

If MFA exists (even if it requires a paid upgrade) and is not switched on, the organisation will automatically fail the assessment.

 

This applies to:

  • Microsoft 365 & Google Workspace
  • SaaS applications
  • Social media business accounts
  • Remote access admin tools

2. Critical & High‑Risk Patches Must Be Applied Within 14 Days

The 14‑day patch rule is now strict, not advisory. Missing even a single critical update older than two weeks results in an automatic failure.

 

This applies to operating systems, applications and router/firewall firmware, for any high‑risk or critical security update

 

3. Cloud Services Can No Longer Be Excluded

The scheme now defines what a cloud service is—any service that stores or processes organisational data, accessed via a business account. These must be included in your certification scope.

 

This includes:

  • Microsoft 365 / Google Workspace
  • CRM & HR systems
  • Cloud backups
  • Identity providers

No more narrowing the scope to avoid scrutiny.

Cyber security image - IT security company in Chichester

4. Clearer Scope Requirements

To improve consistency during assessments, organisations now need to give a clear scope description. This includes outlining which parts of the business and legal entities are covered, along with a short explanation of anything intentionally left out of scope.
These details help assessors understand the environment and reduce any ambiguity during certification

 

When Do the Changes Take Effect?

  • 27 April 2026: New requirements apply
  • Assessments created before this date may use the old standard for a transition period

What Should Businesses Do Now?

To get ahead of the changes, we recommend:

  • Enforcing MFA across all cloud services
  • Implementing automated patching wherever possible
  • Reviewing all cloud platforms used by staff
  • Updating device management and monitoring
  • Ensuring accurate IT asset inventories

As an IT security company in Chichester, we help businesses across Sussex prepare for these new requirements with practical, trusted cybersecurity support.

 

Ready to Get Cyber Essentials Certified? We Can Help…

Whether you’re renewing your certification or starting for the first time, our team can guide you through the new 2026 Cyber Essentials requirements with clear advice, hands‑on support, and best‑practice security implementation.

Cyber Essentials CertifiedAs a trusted IT security company in Chichester, supporting organisations across Sussex, we make the process simple and stress‑free ensuring you stay compliant, secure, and ready for the year ahead.

👉 Book your Cyber Essentials consultation today
We’ll review your current setup, identify any gaps, and help you prepare for the new mandatory controls, including MFA rollout, patching compliance, and cloud‑service readiness.

 

Get in touch with us to get started.