Cyber Essentials April 2026: Every Change You Need to Know Before 26 April

The Cyber Essentials scheme is updated annually, and the April 2026 revision is one of the most substantive in recent years. IASME and the NCSC have not only updated the Requirements for IT Infrastructure document to version 3.3 but have also made significant changes to the marking framework, the assessment methodology for Cyber Essentials Plus, and the scope definition process. Some of these changes were previewed in November 2025; others were announced in February 2026 following IASME's ongoing audit findings.

The new rules apply to all assessment accounts created after 26 April 2026. Organisations with an active assessment account opened before that date have six months to complete certification under the previous version of the requirements. If you are currently partway through a certification cycle or planning to certify before the summer, the timeline matters.

This post covers every material change — what has changed, why it has changed, and what it means in practice.

The Critical Change: Auto-Fail Rules Are Expanding

The most operationally significant change in the April 2026 update is the expansion of the auto-fail framework. Previously, the only automatic failure condition introduced under the November 2025 preview was the failure to implement MFA where it is available for cloud services. The April 2026 update adds two further auto-fail triggers and hardens the MFA requirement.

MFA on Cloud Services Is Now Mandatory — No Exceptions

Multi-factor authentication on cloud services is no longer a best-practice recommendation or a scored question — it is a mandatory requirement whose absence triggers automatic failure of the entire assessment. The rule is absolute: if MFA is available for a cloud service your organisation uses, whether it is included for free, bundled into your subscription, or available as a paid add-on, you are required to enable it. Failing to do so will fail the assessment regardless of how well you perform on every other control.

In practice, this means that any cloud service where MFA can be enabled must have it enabled. Microsoft 365, Google Workspace, Salesforce, accounting platforms, HR systems, project management tools — if the service supports MFA and your organisation uses it to process or store business data, MFA must be active. The guidance on the IASME knowledge hub is explicit: the cost of MFA, or the effort of enabling it, is not a valid reason for non-compliance.

For most organisations that have been operating in good faith, this formalises something they should already be doing. For organisations that have been deferring MFA on certain platforms because it was inconvenient, the April deadline is the effective enforcement date.

Two New Auto-Fail Questions on Security Updates

Questions A6.4 and A6.5 in the updated question set are now designated as auto-fail questions. They address the timely application of high-risk or critical security updates:

• A6.4: Are all high-risk or critical security updates and vulnerability fixes for operating systems and router and firewall firmware installed within 14 days of release?
• A6.5: Are all high-risk or critical security updates and vulnerability fixes for applications (including any associated files and extensions) installed within 14 days of release?

A negative answer to either question is an automatic failure of the assessment, regardless of performance elsewhere. The 14-day window applies to high-risk and critical updates — the classification that typically covers actively exploited vulnerabilities and CVSS scores in the high-to-critical range.

This change is a direct response to the threat intelligence picture. The VPN exploitation campaigns documented in our March 2026 threat intelligence paper showed new CVEs appearing in active attack toolkits within days of public disclosure. The NCSC's position is that organisations leaving critical patches unapplied for longer than 14 days are creating a window of exposure that is known, quantifiable, and preventable. The auto-fail designation reflects the seriousness with which they view this gap.

For organisations managing their own patching, the practical implication is that a documented patch management process with evidence of timely application is no longer optional. You need to be able to demonstrate — not just assert — that high-risk and critical updates are being applied within the 14-day window across all in-scope systems, including router and firewall firmware, not just server and endpoint operating systems.

Scope Definition: Significant New Requirements

Scope definition has been one of the most contested areas of Cyber Essentials assessments, particularly for organisations with complex structures, multiple legal entities, or subsidiaries. The April 2026 changes introduce four specific updates to address the persistent challenges in this area.

Unlimited Scope Descriptions

Organisations will no longer be constrained to a brief scope description on their certificates. A detailed scope description can now be provided, and this extended description will be available for verification through the digital certificate platform. This is a positive change for organisations whose actual scope is more complex than a brief description can convey, and it provides greater transparency to clients, partners, and procurement teams who rely on the certificate as evidence of security posture.

Out-of-Scope Areas Must Be Described

Organisations will now be required to explicitly describe any areas of their infrastructure that are excluded from the scope of the assessment. This information will not be made public — it will not appear on the certificate or the public-facing digital platform — but it must be documented as part of the assessment record. This requirement addresses a gap that has allowed scope exclusions to go unexplained, and it creates an accountability mechanism for assessors to verify that exclusions are legitimate rather than simply convenient.

Legal Entity Identification

Where an assessment covers multiple legal entities — for example, a parent company and its subsidiaries, or a group of companies seeking a single certificate — all legal entities included within the scope must now be specified, with details including the entity's name, registered address, and company number. All included legal entities will be visible on the digital certificate platform, creating a transparent and verifiable record of what the certificate actually covers.

Individual Certificates for Legal Entities Within a Scope

A new certificate type will allow individual Cyber Essentials certificates to be issued for each legal entity certified as part of a larger group scope. These individual certificates will clearly indicate that they form part of a wider assessment scope rather than standalone certifications. A small additional charge will apply. This is particularly relevant for multi-entity organisations that need to demonstrate individual entity compliance to specific clients or as part of supply chain due diligence.

Clarifying 'Point in Time'

Cyber Essentials has always been described as a point-in-time assessment, but the phrase has caused consistent confusion about what that point in time actually refers to. The April 2026 update resolves this explicitly: the point in time is the date the certificate is issued.

The practical implication is that organisations must ensure their systems are supported and compliant as of the certification date — not as of the date they began the assessment or the date they last reviewed their controls. For organisations whose systems approach end-of-support during an assessment cycle, this clarification means the timing of certification matters: a system that loses vendor support before the certificate is issued will be non-compliant at the point of certification.

The Updated Director Declaration

The declaration signed by a board member or director as part of the verified self-assessment will be updated to include an explicit acknowledgement that the organisation is responsible for maintaining compliance with all Cyber Essentials controls throughout the entire certification period — not just at the point of assessment.

This is a meaningful change in the governance posture of the scheme. Cyber Essentials certification has sometimes been treated as an annual compliance exercise with limited ongoing accountability. The updated declaration makes explicit that the signatory is accepting responsibility for continuous compliance, and that the certificate represents an ongoing commitment rather than a snapshot that can be ignored until the next renewal.

For directors and senior managers signing the declaration, this is worth reading carefully. The certificate you sign for carries an explicit ongoing compliance obligation that is now written into the scheme's terms.

Cyber Essentials Plus: Two Critical Methodology Changes

The CE+ changes deserve particular attention because they address practices that have been undermining the assurance value of the higher-level certification.

No More Selective Patching During Assessment

IASME's ongoing audit work identified a specific pattern of behaviour: when CE+ assessors found unpatched devices in their initial sample, some organisations were applying the required updates only to the specific devices in the test sample, rather than across their entire CE+ scope. These organisations were then passing the retest despite leaving the broader environment unpatched.

This behaviour, whether intentional or the result of misunderstanding the requirement, fundamentally undermines what CE+ is meant to assure. The April 2026 update closes this gap directly. If an organisation fails the initial device sample test, they must remediate and undergo a retest — but during the retest, the assessor will now test both the original sample and a new, different random sample of devices. A second failure at retest will result in revocation of the verified self-assessment certificate, not just failure of the CE+ audit.

The message is clear: CE+ is testing whether your entire environment is patched and compliant, not whether the specific devices you know are being tested are compliant. If you are preparing for CE+, ensure that your patch management process applies consistently across all in-scope devices before assessment begins.

VSA Responses Cannot Be Changed After CE+ Testing Begins

The second CE+ change addresses a related integrity issue. Organisations will no longer be permitted to adjust their verified self-assessment responses after CE+ testing has commenced. The scheme's Terms and Conditions will be updated to require that the VSA is completed, finalised, and remains unchanged before CE+ testing begins.

This change prevents a practice where organisations were effectively using the CE+ technical audit as a diagnostic tool to identify and then correct VSA responses before finalising them, rather than providing an accurate self-assessment that the CE+ audit then independently verifies. CE+ is an independent technical verification of the VSA — it cannot serve that function if the VSA can be retrospectively adjusted based on what the audit finds.

Updates to the Requirements Document (v3.3)

Beyond the framework and methodology changes, the Requirements for IT Infrastructure document itself has been updated to version 3.3 with several clarifications worth knowing.

Cloud Services: A Formal Definition

For the first time, the requirements document includes a formal definition of what constitutes a cloud service for Cyber Essentials purposes:

A cloud service is an on-demand, scalable service, hosted on shared infrastructure, and accessible via the internet. For the purposes of Cyber Essentials, a cloud service will be accessed via an account (which may be credentials issued by your organisation or an email address used for business purposes) and will store or process data for your organisation. If your organisation's data or services are hosted on cloud services, these services must be in scope. Cloud services cannot be excluded from scope.

The most important sentence in that definition is the last one: cloud services cannot be excluded from scope. If you process or store business data on a cloud platform, it is in scope. Full stop. This closes an avenue that some assessments have used to exclude cloud services on the grounds that the organisation does not control the underlying infrastructure.

Simplified Scoping Criteria

The qualifiers 'untrusted' and 'user-initiated' have been removed as descriptors for internet connections in the scoping criteria. This simplification removes a source of persistent confusion about which connections required inclusion. Organisations will also now need to justify any infrastructure excluded from scope and explain specifically how excluded networks are segregated from in-scope systems. Exclusions can no longer simply be stated — they must be reasoned.

Application Development

The section previously titled 'web applications' has been renamed 'application development' and now references the UK Government's Software Security Code of Practice. The practical scope change: publicly available commercial web applications are now in scope by default, while bespoke and custom components developed in-house remain out of scope. Organisations running publicly accessible web applications — including e-commerce platforms, customer portals, and public-facing services — should review whether this scoping change affects their assessment.

Backups Repositioned

Guidance on backups has been moved earlier in the requirements document. This is a presentational change rather than a substantive one, but it reflects the NCSC's emphasis on backup capability as a foundational recovery control — not an afterthought to the five main technical domains.

Passwordless Authentication

The user access control section has been updated to highlight passwordless authentication methods — specifically passkeys — as a more secure alternative to traditional passwords. This is guidance rather than a mandatory requirement, but it signals the direction of the scheme. Organisations implementing passkeys or FIDO2 authentication can now reference this explicitly in their assessment responses.

The Danzell Question Set

The new Cyber Essentials question set, named Danzell, was published on 13 February 2026 and will apply to all assessments registered after 26 April 2026. If you are currently working through an assessment or planning to begin one before April, confirm with your assessor which question set applies to your account. Assessments opened under the previous question set have six months to complete certification — but that window runs from the account creation date, not from 26 April itself.

What This Means If You Hold or Are Seeking Certification

The combined effect of these changes is that Cyber Essentials certification after April 2026 provides meaningfully stronger assurance than it did before — but the bar for achieving it is higher. Three areas require immediate attention for most organisations.

First, MFA must be active on every cloud service that supports it. This is no longer a scored question — it is a binary pass or fail condition. Audit your cloud services now and enable MFA on any platform where it is available. Prioritise authentication to email, file storage, financial systems, and any platform that holds client or employee data.

Second, your patch management process must be capable of demonstrating 14-day compliance for high-risk and critical updates across all in-scope systems, including network device firmware. If your current process relies on monthly patching cycles, a 14-day auto-fail threshold means critical updates need to be treated differently from routine ones. Separate the triage and prioritisation of critical patches from your regular maintenance cycle.

Third, if you are pursuing CE+, ensure your entire in-scope environment is patched and compliant before assessment begins — not just the devices most likely to be in the test sample. And finalise your VSA responses before CE+ testing commences. Post-test adjustments are no longer permitted.