The annual update to the Cyber Essentials scheme lands in April 2026 – and this one includes more changes than usual. Here’s what’s changing and what it means for your organisation.
The Cyber Essentials criteria are reviewed every year. IASME and the NCSC take on board feedback from assessors, learnings from breach investigations and findings from their own audit programme, and update the requirements accordingly. Most years the changes are relatively minor. The 2026 update is different.
The five core controls haven’t changed. But the marking criteria, scope rules, assessment process and several supporting requirements all have.
Some of the changes carry real consequences if you’re not prepared. They apply to all assessment accounts created after 27th April 2026.
Here’s what you need to know.
MFA on cloud services is now an auto-fail requirement
Multi-factor authentication for cloud service accounts has moved from a recommendation to a hard requirement. From April 2026, if MFA is available on any cloud service in scope and you haven’t enabled it, your assessment fails automatically.
This applies to all users and all cloud services, regardless of whether MFA is a free feature or requires a paid add-on. If it’s available, it’s required. No exceptions.
Two patch management questions are now auto-fail
Patch management has always been at the heart of Cyber Essentials. But two specific questions are now set to auto-fail status:
- Are all high-risk or critical security updates and vulnerability fixes for operating systems, router and firewall firmware installed within 14 days of release?
- Are all high-risk or critical security updates and vulnerability fixes for applications (including associated files and extensions) installed within 14 days of release?
Previously, failing these questions meant a failed assessment that could be remediated and resubmitted. As of April 2026, failing either question triggers an immediate automatic failure and resets the assessment clock entirely.
This is the kind of pressure that makes the case for a managed approach to vulnerability remediation – ensuring patches are automatically applied for you within CE+ timelines as a matter of course, rather than scrambling to meet them.
“Point in time” now means the date your certificate is issued
Cyber Essentials has always been described as a point-in-time assessment, but what that point means in practice has been open to interpretation. The point in time is now formally defined as the date the certificate is issued, not the date you complete or submit your questionnaire.
This means every device and system in scope must be fully supported and compliant on the day your certificate comes through. If something becomes unsupported between submission and issue, your certification may not hold. An important change for anyone whose assessment process spans several weeks.
Closing the selective patching loophole
Recent audits uncovered a pattern of organisations applying updates only to the specific devices included in the CE+ test sample, rather than rolling them out across their entire in-scope environment. Technically they passed the assessment. In practice, vulnerabilities remained.
The assessment process for update management has been tightened as a result. If an organisation fails the initial test of a random device sample, they can remediate and request a retest – but the retest will pull a new random sample from the wider environment.
A second failure results in revocation of the verified self-assessment certificate.
You can no longer adjust your self-assessment once the audit begins
From April 2026, organisations will not be permitted to go back and amend their verified self-assessment responses based on what the CE+ audit reveals. The self-assessment must be completed, finalised and locked before testing commences.
Previously there was some flexibility here. Now your self-assessment needs to accurately reflect your actual environment before the audit starts, not be adjusted afterwards to align with the results.
It’s a change that rewards organisations who approach Cyber Essentials as an ongoing standard rather than something to be tidied up when an audit is imminent.
The director’s declaration now covers ongoing compliance
The declaration signed by a director or board member as part of the verified self-assessment has been updated. It now includes an explicit acknowledgment that the organisation is responsible for maintaining Cyber Essentials compliance throughout the certification period, not just on the day of assessment.
In one sense this formalises what has always been best practice. Cyber Essentials certification shouldn’t be a once-a-year exercise that gets forgotten about the moment the certificate lands. It should reflect a continuous, maintained security posture. The updated declaration makes that expectation official.
What this means for your organisation
If you’re already Cyber Essentials certified, these changes apply to your next renewal if your assessment account is created after 27th April 2026. If you’re working towards certification for the first time, they apply now.
The direction of travel is clear: Cyber Essentials is moving towards a model where continuous compliance matters as much as the annual assessment. Organisations that treat it as a point-in-time, tick-box exercise are going to find the requirements increasingly difficult to meet.
Need support with Cyber Essentials compliance?
If you’d like to talk through what these changes mean for your security approach, or if you want to understand how LIMA’s Vulnerability Detection and Remediation service can help you meet Cyber Essentials patching requirements automatically, get in touch with the team.
Read our latest blog about vulnerability management
Contact the team at 0345 345 1110 or enquiries@lima.co.uk
