Cyber Essentials: What’s Changing in 2026

The Government-backed Cyber Essentials scheme is being updated in April 2026, to better reflect evolving cyber threats and modern IT environments. These changes apply to both Cyber Essentials and Cyber Essentials Plus, with a particular focus on cloud services and authentication, and also clarifies scoping requirements.

When Do the Changes Take Effect?

The updated framework will apply to all assessments commencing on or after 27 April 2026; any assessments started before this date may still be completed under the existing framework. For organisations that rely on Cyber Essentials Plus certification to demonstrate robust cyber security controls, understanding and preparing for these updates early will be essential.

Key Changes to the Cyber Essentials Plus Framework

While the overall structure of Cyber Essentials largely remains unchanged, the updates to the framework coming this year introduce several important clarifications and strengthened controls that organisations must address.

One of the most significant changes relates to multi-factor authentication. Under the updated framework, MFA must be enabled wherever it is available, including cloud services where MFA is included as standard or offered as an optional paid feature. If MFA is available for a cloud service but not enabled, the organisation will not pass the assessment.

Another significant change to the framework is around the wording; Cyber Essentials has revised its wording to provide clearer guidance on what must be included within scope. In general, any device or service capable of making an internet connection is considered in scope, unless exclusions are clearly justified and documented. This encourages a more accurate representation of an organisation’s security posture during their assessment.

Additionally, the Cyber Essentials documentation now includes a formal definition of cloud services for the first time. Any service that is accessed over the internet and stores or processes organisational data is considered in scope for certification. This removes ambiguity and ensures that widely used platforms such as Microsoft 365, Google Workspace, CRM and ERP systems, and other SaaS solutions are fully included in Cyber Essentials assessments.

There is also a greater emphasis on backup strategies, with backup guidance moved earlier in the assessment requirements to reflect its importance in cyber resilience.

Finally, updates have been made to the assessment of application security and authentication methods; passwordless authentication technologies, such as passkeys and hardware-based authentication, are now considered secure alternatives where they are appropriately implemented.

What This Means for Organisations Seeking Certification

These changes are designed to improve consistency and accommodate the real-world cybersecurity landscape. For many organisations, preparation will involve reviewing all the cloud services currently in use, ensuring MFA is enabled across all their platforms, validating device and service scoping, strengthening authentication and access controls, and maintaining documentation and audit evidence. Proactive preparation will reduce risks during the assessment and help avoid delays or unexpected failures.

How Dolphin IT Solutions Can Help

Dolphin IT Solutions provides expert support to help organisations achieve and maintain Cyber Essentials Plus certification throughout the year. Our services include assessing your Cyber Essentials readiness, reviewing your current environment against the updated requirements to identify areas requiring remediation before the assessment commences, and recommending any technical implementation or hardening required to meet the standard.

From MFA deployment and cloud security configuration to access control enforcement, to vulnerability scanning and application patching, we can help you implement the controls required to meet the standard. We’ll assist you with any documentation or policy alignments needed to get you prepared for your Cyber Essentials assessment, ensuring you are confident throughout the audit.

Cyber security is not a one-off exercise. Our ongoing support services help you remain compliant all year round as your organisation evolves.

Prepare for April 2026 with Confidence

The upcoming changes to Cyber Essentials raise the bar for baseline cyber security, particularly around cloud usage and authentication. With the right preparation and expert guidance, these changes can strengthen your organisation’s security rather than disrupt it. Dolphin IT Solutions can help you stay compliant and secure all year round; contact us today to begin planning for your assessment.