Upcoming changes in Cyber Essentials for 2026
Cyber Essentials will be updated from 27 April 2026 with new rules to strengthen cyber security for businesses.
Cyber Essentials is a government-approved certification scheme that sets out five key technical controls designed to protect your business IT systems from common cyber attacks. The scheme, managed by IASME, helps businesses show they follow good cyber security practices.
What is changing
The updated requirements introduce stricter rules for cloud services, user authentication, which devices and services must be checked (scoping), and software development practices.
Cloud services definition
For the first time, a clear definition of what counts as a cloud service is provided. From April 2026, any online service or infrastructure that stores or processes company data is in scope. This includes software accessed over the internet (Software as a Service or SaaS), data hosted on cloud platforms, and identity management systems your business uses.
Scoping rules
Any device or service connected to the internet must be included in your Cyber Essentials assessment. This includes smartphones, laptops, servers, or any other device that sends or receives data online. If there are parts of your IT that you want to exclude, you will need to clearly explain why and prove they are effectively separated from the rest of your network.
Multi-factor authentication (MFA) requirements
While MFA has always been part of Cyber Essentials, it will become mandatory from April 2026 wherever cloud services offer it. MFA means using two or more forms of verification (for example, a password plus a code sent to your phone) to access an account. If MFA is available for a cloud service you use, it must be switched on for all users to pass the assessment. Cloud services cannot be excluded from your scope.
Passwords, backups and other security
The updated scheme encourages businesses to replace passwords with more secure authentication tools like passkeys, biometrics (fingerprint or face recognition), and hardware tokens. It also highlights the importance of keeping software secure during development and maintaining regular, tested backups. Backups help you recover quickly if you experience a cyber attack or data loss.
These changes aim to make your business more resilient and better protected against common cyber threats. Any Cyber Essentials assessments created on or after 27 April 2026 will be based on these new requirements detailed in the Cyber Essentials requirements for IT infrastructure v3.3.
If your business currently holds Cyber Essentials certification or plans to apply, review these changes now and prepare ahead of the deadline to avoid any compliance issues and keep your systems secure.
First published 8 December 2025
