- Written by Tom Shefford - Head of Proposition IT & Cyber Security
- Connect with Tom on LinkedIn
For businesses relying on Cyber Essentials certification, the April 2026 update marks an important shift in how core security controls will be assessed.
From April 2026, the UK government-backed Cyber Essentials scheme will be updated. While the core aim of Cyber Essentials stays the same, which is protecting organisations from the most common cyber-attacks, the new rules make key security controls clearer, stricter and more closely aligned to how modern businesses work. For many teams, this will not feel like a completely new standard, it will feel more like a tightening of expectations around the controls that already exist.
Why is Cyber Essentials being updated?
Cyber Essentials is reviewed every year by the National Cyber Security Centre (NCSC) and IASME to reflect changes in technology and real-world cyber attacks. The purpose of the update is to make sure that Cyber Essentials reflects how businesses actually work now. Cloud platforms, remote access, shared systems and online services are now part of normal operations for most teams, so security requirements need to be clearer around how those environments are treated. Most successful cyber-attacks still rely on basic weaknesses such as weak passwords, missing updates or unsecured cloud systems. The April 2026 Cyber Essentials update focuses on closing grey areas and making sure controls are genuinely in place, not just written down.
The foundations of Cyber Essentials are not changing
These five Cyber Essentials security areas still sit at the centre of the scheme:
- Firewalls
- Secure configuration
- Security updates
- User access control
- Malware protection
This means businesses that already take Cyber Security seriously and understand Cyber Essentials are not starting from scratch. Instead, the changes will raise the bar on how consistently these security controls must be applied.
How Cyber Essentials is changing in April 2026
Before April 2026, Cyber Essentials allowed more interpretation. Organisations could sometimes pass while applying controls inconsistently or planning improvements later.
From April 2026, there will be four major changes to Cyber Essentials:
1. Multi-Factor Authentication is no longer optional
If an online system or cloud service offers multi-factor authentication (MFA), it must be turned on. MFA means using something extra in addition to a password, such as a mobile app approval or a text message code.
Previously, organisations could argue that MFA was planned or only needed for administrators. From April 2026, if MFA is available and not enabled, the organisation will automatically fail the assessment.
What this means:
- Email systems like Microsoft 365 must have MFA enabled
- Finance, HR, CRM and cloud portals must use MFA
- Cost or convenience is no longer an acceptable reason not to use it
2. All cloud services are now in scope
For the first time, Cyber Essentials clearly defines what counts as a cloud service. Any online system that stores or processes your organisation’s data must be included in your assessment.
This includes:
- Email and collaboration tools
- File storage and sharing platforms
- Finance and payroll systems
- CRM and line-of-business applications
What this means:
Previously, some organisations excluded certain systems by narrowing their scope. This is no longer allowed. If your business data touches the service, it must meet Cyber Essentials requirements.
3. Faster security updates are mandatory
Critical and high-risk security updates must now be applied within 14 days of release.
This applies to:
- Computers and laptops
- Servers
- Firewalls and routers
- Business and third-party applications
What this means:
This rule existed before, but it is now strictly enforced. Missing a critical update beyond 14 days will result in an automatic failure.
4. Clearer scoping and transparency
The new assessment questions require clearer descriptions of what is included in your Cyber Essentials scope.
Organisations must:
- Clearly list all legal entities covered
- Explain any exclusions
- Be transparent about how systems are used
What this means:
This reduces misunderstandings and ensures assessments reflect reality rather than paperwork.
What the April 2026 changes to Cyber Essentials mean for business leaders
From April 2026, Cyber Essentials will place greater emphasis on controls being fully active in practice, not planned for later. Cloud systems will need to be included as standard, MFA will become a clear pass or fail requirement, and the overall assessment will place more weight on evidence and consistency. For well-managed businesses, this should feel like a natural tightening of expectations rather than a major disruption. For others, the biggest adjustment may be around behaviour, ownership and day-to-day discipline rather than new technology.
That is why business leaders do not need to approach these changes as a purely technical issue. The real priority is understanding whether the basics are in place across the business. A useful starting point is to ask whether all online systems are protected with multi-factor authentication, whether every cloud service in use is known and accounted for, whether security updates are applied quickly and consistently, and whether ownership of cyber security is clearly defined.
Although the revised standard may appear stricter, that is ultimately a positive shift. Stronger requirements make Cyber Essentials more meaningful because certification is more closely tied to real security rather than simple compliance. In practice, that can help businesses reduce the risk of cyber attacks, strengthen trust with customers and partners, and meet growing supply chain or contract expectations with greater confidence.
How Opus can help
The April 2026 Cyber Essentials updates are not about adding complexity; they are about making sure the basics are applied properly, consistently and across the full business environment. For most businesses, success will come from stronger visibility, clearer accountability and day-to-day discipline rather than major new investment. In businesses where cyber security is already being taken seriously, these changes should feel like a natural next step rather than a difficult reset. At Opus, we help businesses prepare for Cyber Essentials with practical guidance that keeps the focus on what matters most. Contact us to discuss Cyber Essentials and your wider cyber security posture with one of our experienced consultants.
FAQs
The changes to Cyber Essentials in April 2026 bring stricter expectations around MFA, cloud services, patching and assessment scope, so businesses need to show controls are active rather than planned.
Yes, cloud services that store or process business data need to be considered properly within scope, which makes visibility across your systems more important.
We suggest that you start by reviewing MFA coverage, listing cloud services, checking update processes and making sure your assessment scope reflects how your business actually operates.
