Cyber Essentials Updates April 2026 - Here is What You Need to Know

Cyber Essentials is updated every year so it stays aligned with modern security risks. The next set of changes arrives on 27 April 2026. These updates do not replace the five core controls, but they do change how organisations must demonstrate compliance. The focus is on clearer expectations, stronger evidence, and bringing cloud services into full scope.

For many organisations, this may mean reviewing how systems are set up, how user accounts are managed, and how cloud tools are configured. The aim is to improve consistency across assessments and help organisations prepare for the most common cyber threats.

What Is Changing in 2026

1. Multi‑Factor Authentication becomes compulsory

If a cloud service offers Multi‑Factor Authentication, it must be enabled for every user. This applies even if MFA is only available as a paid feature. Leaving MFA disabled where it exists will result in an automatic failure.

2. Cloud services are fully in scope

Any service accessed with a work login, storing or processing organisational data, will be included. This covers widely used tools such as Microsoft 365, Google Workspace, or CRM and finance systems. You can no longer exclude cloud platforms from the assessment.

3. Clearer scoping rules

Any device or system capable of connecting to the internet is considered in scope unless there is a strong technical reason to exclude it. If you do exclude something, you will be expected to explain how it is separated from the rest of your environment.

4. Greater emphasis on passwordless authentication

The updated guidance highlights modern login methods such as passkeys and security keys. These are encouraged as a stronger alternative to traditional passwords.

5. Stronger expectations around backups

Backups remain outside the formal five controls, but the new guidance places greater weight on sensible backup practices. Storing copies off the primary device and disconnecting removable media when not in use is now recommended more clearly.

Practical Steps You Can Take Now

These steps will help organisations prepare without rushing as the deadline approaches.

1. Review every cloud service in use

• List each system your teams sign into using a work email or identity provider.
• Check whether MFA is available, and if so, turn it on for all users.
• Review default settings, particularly around admin roles and data access.

2. Check how your devices connect

• Confirm that laptops, desktops, and mobile devices meet the five core controls.
• Make sure anything capable of reaching the internet is included in your scope review.
• If you operate networks that are isolated, document how they are separated.

3. Strengthen authentication methods

• Introduce password-less login options where your systems support them.
• Review which accounts hold administrative privileges and reduce them where possible.

4. Improve your backup approach

• Keep backups away from the main device or network.
• Test them regularly to ensure they can be restored when needed.

5. Document your set‑up clearly

• Keep simple records of configurations, patching, and user access.
• Prepare explanations for anything you wish to exclude from scope.

How ITPS Can Support Your Preparation

These updates are designed to improve clarity and remove grey areas, but they can still be time‑consuming to work through. Our team works daily with organisations preparing for certification, and we can provide guidance based on current assessment practice. This includes help with reviewing cloud services, strengthening access controls, and preparing clear scope documentation.

Support can be tailored to the level of help you need, whether that is assistance with the self‑assessment process or preparing for a more detailed technical review under Cyber Essentials Plus. The focus is on practical steps that improve your security position and reduce risk.