Cyber Essentials is Changing in April 2026: Here’s What You Need to Know

Significant changes are coming to the Cyber Essentials scheme that every business needs to know about, even if you’re already certified.

IASME and the NCSC review the Cyber Essentials scheme every year, incorporating feedback from assessors like Method IT, findings from breach investigations and insights from IASME’s own audit programme. The result is an annual update to the requirements and marking criteria.

The 2026 update is more significant than most. While the five core controls haven’t changed, the marking criteria, scope definition rules, assessment process and several supporting requirements all have. These changes apply to all assessment accounts created after April 27, 2026.

In this blog post, you’ll learn everything that’s changing, what it means in practice and what you can do to prepare for certification.

MFA is now an auto-fail requirement for all cloud services

Multi-factor authentication (MFA) for cloud service accounts is no longer marked as a recommendation. After April 2026, failing to implement MFA on any cloud service where it is available will result in the assessment failing automatically.

This applies to all cloud services in scope and to all users. It doesn’t matter whether MFA is a free feature, included as standard or requires a paid upgrade. If MFA is available for a cloud service you use, you must enable it.

Auto-fail status for two security update management questions

Patch management has always been a requirement under Cyber Essentials. But starting at the end of April, two specific questions will be set to auto-fail.

They are:

• Are all high-risk or critical security updates and vulnerability fixes for operating systems and router and firewall firmware installed within 14 days of release?

• Are all high-risk or critical security updates and vulnerability fixes for applications (including any associated files and extensions) installed within 14 days of release?

Previously, failure to meet these requirements would result in a failed assessment that could be remediated and resubmitted. From April 2026, failing either of these questions will result in an immediate, automatic failure that restarts the assessment clock.

Auto-fail questions like these are just one reason businesses choose one of our Cyber Essentials plans, which include free retests and guarantee certification. You don’t have to worry about these questions scuppering your entire assessment.

“Point in time” is now the date the certificate is issued

Cyber Essentials has always been described as a ‘point in time’ assessment, but there has been ambiguity about what that means. After April 2026, the scheme formally defines the point in time as the date the certificate is issued.

The practical implication is that all systems in scope must be fully supported and compliant as of the date your certificate is issued, not the date you complete or submit the questionnaire. If any device or software becomes unsupported between submission and certificate issue, your certification may not be valid.

This is another reason customers choose one of our ongoing Cyber Essentials plans. Pro and Elite versions come with a continuous compliance assessment guarantee, meaning we’ll monitor and maintain your cybersecurity posture throughout the engagement to ensure you retain Cyber Essentials compliance.

The director's declaration now includes ongoing compliance

The declaration signed by a director or board member as part of the verified self-assessment will be updated to include an explicit statement acknowledging the organisation’s responsibility to maintain Cyber Essentials compliance throughout the certification period, not just at the point of assessment.

This is significant because it formalises what has always been best practice, that Cyber Essentials certification should be a continuous state, not a one-time exercise. Again, the continuous compliance monitoring in our Pro and Elite packages will track your posture year-round.

Get certified and stay compliant with Method IT's ongoing support

As an approved Cyber Essentials Certification Body, Method IT is perfectly placed to guide your business through the entire assessment process — from an initial readiness audit to a submitted assessment. We can take care of everything and ensure you obtain certification.

Passing Cyber Essentials is just the starting point, however. Your certificate lasts 12 months, but your IT environment changes throughout that year. That’s why many businesses choose our Pro and Elite packages, which include continuous compliance monitoring. We track your posture against all five controls year-round to keep you protected and aligned with Cyber Essentials. Get started by requesting a free quote.