Cyber Essentials 2026: What the Changes Really Mean for Your Organisation - Cyber and Fraud Centre

At our latest Cyber Byte session, Neil Douglas at Network ROI, walked us through the upcoming Cyber Essentials changes taking effect from April 2026.

A Quick Refresher

Cyber Essentials remains the UK Government’s minimum standard for cyber security, developed by the National Cyber Security Centre (NCSC) and delivered by the IASME Consortium. Certified organisations are statistically 92% less likely to make a cyber insurance claim.

It focuses on five core technical controls that protect against commodity cyber attacks, mainly phishing and ransomware.

The Five Controls

Cyber Essentials continues to focus on:

Boundary firewalls
Secure configuration
Access control
Software updates
Malware protection

No new controls have been introduced in 2026, but what has changed is how the standard is implemented and assessed.

Key 2026 Changes: What’s Tightening

1. MFA Failures Are Now Automatic Fails

If multi-factor authentication is available for a cloud service and you haven’t implemented it, you will automatically fail.

Important points:

“Where available” is key.
It doesn’t matter if MFA requires a paid licence upgrade.
If the option exists, you must use it.

Tip from Neil: Expect assessors and IASME moderation to check whether MFA genuinely isn’t available if you claim it isn’t.

2. The 14-Day Patch Rule Has Teeth

The 14-day rule for high and critical vulnerabilities has existed for years.

What’s new?
Failure to meet it is now an automatic fail.

Not “most systems.”
Not “some systems.”
All systems. Including firewalls.

This is one of the biggest risk areas for organisations.

Tip from Neil: If you are attempting to pass CE Plus, use of a vulnerability scanner is essential to passing.

3. Cloud Services Are Definitively In Scope

The updated definition clarifies that any cloud service storing or processing company data is in scope.

That includes:

Microsoft 365
Google Workspace
HR platforms
Business social media accounts
VOIP Systems, Cloud Based CRM Systems, Password Managers, Project Management Tools

You cannot exclude cloud services from scope.

Tip from Neil: If in doubt, declare it and let the assessor decide.

4. Scoping Just Got More Detailed

From April 2026:

You must provide a detailed scope description if not choosing whole organisation
This scope description will appear on your digital certificate.
Excluded networks must be clearly explained (but this won’t be made public)

Unclear scope is already a common reason for failure, and this won’t get easier.

If your environment is complex or hybrid, speak to a Cyber Advisor (Cyber Essentials) or Cyber Essentials Assessor at the start of your application

Major Changes to Cyber Essentials Plus

This is where the real shift happens.

Double Sampling on Failure

Previously, if one sampled device failed, only that sample set was retested.

From April 2026:

A second test will include the original sample plus a new random sample.
If you fail the second test…
Your Cyber Essentials Basic certificate is revoked.

That’s a serious consequence, especially if CE is contractually required.

No Scope Changes During CE+

You must complete and sign off the Verified Self-Assessment before starting CE+ testing.
You cannot alter scope once CE+ testing begins.

The Big Message: This Isn’t About Ticking a Box

Neil was clear on one point that leaders should be asking:

“How are we guaranteeing we remain compliant a week after assessment, and for the rest of the year?”

Cyber Essentials is not an annual exercise.
It’s an operational discipline.

Practical Advice from the Session

Here’s what stood out:

1. Prepare the Whole Organisation — Not Just the Sample

If Chrome is out of date on one device, assume it may be out of date everywhere.

Fix issues across your full estate, not just what’s sampled.

2. Know Your Assets

You cannot protect what you don’t know exists.

Maintain:

Accurate device inventory
Clear cloud service list
Defined data locations

Asset visibility underpins everything in cyber security.

3. BYOD Requires Proper Controls

There is no Cyber Essentials–compliant antivirus for iOS or Android.

For mobile bring your own device (BYOD) or mobile company devices, you must:

Ensure supported OS versions
Prevent jailbroken/rooted devices
Restrict access via approved apps (MDM or MAM)

This catches many organisations out.

4. Consider Managed Support for CE+

Neil’s position was straightforward:

Don’t go to CE+ testing until you’re ready.

Managed assessments significantly reduce the risk of failure, particularly under the new double-sampling model.

There are a number of organisations in Scotland, including Network ROI that can support CE+ reassessment and testing. Plus, IASME also offers a free 30-minute Cyber Advisor session for guidance.

Key Dates

26 April 2026 – Last day to register the older, “Willow” assessment.
27 April 2026 – New “Danzell” assessments go live.
26 October 2026 – Final completion date for Willow assessments.

There’s no strategic reason to rush unless you’re unprepared. If you’re implementing the controls properly, you should pass under the new model.

Summary

The controls haven’t changed but expectation has. Cyber Essentials is becoming more robust and more aligned with how attackers actually operate.

If you treat it as a compliance badge, you’re exposed. However, if you treat it as operational discipline, you’re significantly reducing risk.

If you’d like support understanding what these changes mean for your organisation, get in touch with the team at Network ROI or the other members of our Scottish Cyber Security Network, or visit the IASME website (below).