The Cyber Essentials scheme is updated annually to stay aligned with evolving threats. While the scheme’s five core controls remain unchanged, the April 2026 updates aim to enhance clarity, consistency, and effectiveness. This blog outlines the annual updates to the Requirements for IT Infrastructure document, which serves as the standard for achieving Cyber Essentials certification. It also contains essential new information about changes to the assessment framework.
While you may have already seen a preview of the updated Requirements, the National Cyber Security Centre (NCSC) has now added further adjustments to the certification process, marking scheme, and Cyber Essentials Plus assessment methodology. It is important to understand and implement these changes to ensure compliance with the updated requirements. If you’re preparing for certification or recertification, it’s vital to review these updates carefully.
Each year, IASME collaborates closely with the NCSC to review feedback from across the scheme, analyse findings from breach investigations, and evaluate insights gained from audits conducted by the IASME team. These inputs form the foundation of the annual review process, which informs updates to the scheme requirements, assessment question set, methodology, and marking criteria. Our goal is to complete this review and implement updates as early as possible, ensuring organisations have sufficient time to prepare for any changes. In November 2025, we published the NCSC’s updates to the Requirements for Infrastructure document, including the introduction of an ‘auto-fail’ policy for not implementing Multi-Factor Authentication (MFA) where it is available.
Since then, additional factors have been identified through IASME’s ongoing audit processes. While these findings have not necessitated further changes to the Requirements for Infrastructure document, they have prompted NCSC to make updates to the operation of the scheme. The details of these changes are outlined below and will take effect in April 2026.
The changes to the scheme will apply to all assessment accounts created after April 26, 2026. Any organisation with an active assessment account created before this date will have 6 months to attain certification using the previous version of the requirements.
What are the upcoming changes to Cyber Essentials?
The April 2026 updates to the Cyber Essentials scheme aim to address challenges faced by organisations and Assessors, resolve areas of ambiguity, and ensure that the scheme continues to provide robust assurance against cyber threats.
Many of these updates were announced in November 2025. However, newly announced changes are highlighted below with the blue background.
Changes to the marking criteria
One of the most notable updates to the scheme is the implementation of stricter marking criteria for questions that address critical practices, such as enabling multi-factor authentication and implementing timely security updates across the entire scope. Failure to meet the required standards will result in an automatic failure of the assessment. This emphasis brings the Cyber Essentials scheme into alignment with the NCSC’s recommended best practice.
Multi-factor authentication (MFA) will now be a mandatory requirement for all cloud services where it is available. Organisations that fail to implement MFA for cloud services—whether it is free, included, or a paid option—will automatically fail the assessment. This change underscores the critical role of MFA in protecting systems and highlights the importance of adopting strong authentication measures. Read more here.
Additionally, two new questions related to security update management will be designated as ‘auto-fail’ questions. These questions address the timely installation of high-risk or critical security updates and vulnerability fixes for operating systems, router and firewall firmware, and applications (including associated files and extensions). Specifically:
A6.4: Are all high-risk or critical security updates and vulnerability fixes for operating systems and router and firewall firmware installed within 14 days of release?
A6.5: Are all high-risk or critical security updates and vulnerability fixes for applications (including any associated files and extensions) installed within 14 days of release?
Non-compliance with either of these questions will result in an automatic failure of the assessment, regardless of performance in other areas. This change is intended to address instances where the delay of critical updates, leaves systems vulnerable to exploitation.
Improved scope definition and certification transparency
Defining and reviewing the scope of an assessment has been a persistent challenge, particularly for larger organisations with complex structures. To address this, the following changes will be introduced:
1. Unlimited scope descriptions: Organisations will no longer be limited to a brief scope description on their certificates. Instead, they will be able to provide a detailed scope description, which will be available to view via the digital certificate platform.
2. Out-of-scope areas: Organisations will be required to describe any areas of their infrastructure that are excluded from the scope. This information will not be made public.
3. Legal entity identification: Organisations will need to specify all legal entities included within the scope of the assessment, providing details such as the entity’s name, address, and company number. All legal entities included in scope can be viewed on the digital certificate platform.
4. New certificate types: You will be able to request an individual Cyber Essentials certificate for every legal entity certified as part of a larger scope but it will be clear that the certification is part of the wider scope. There will be a small charge for these additional certificates.
These changes aim to improve transparency, reduce ambiguity, and ensure that the scope of an assessment is clearly defined and accurately represented.
Clarification of ‘point in time’
Cyber Essentials is a ‘point in time’ assessment, but there has been confusion about what this term refers to. To address this, the scheme will explicitly state that the ‘point in time’ is the date the certificate is issued. Organisations will need to ensure that their systems are supported at the date of certification.
Signed declaration and ongoing compliance
The declaration signed by a board member or director as part of the verified self-assessment (VSA) process will be updated to include a statement acknowledging the organisation’s responsibility to maintain compliance with all Cyber Essentials controls throughout the certification period. This change reinforces the importance of ongoing compliance and ensures that organisations remain committed to maintaining robust cyber security measures.
Changes to the Cyber Essentials Plus (CE+) assessment
The Cyber Essentials Plus (CE+) assessment provides a higher level of assurance by including a technical audit of an organisation’s cyber security measures. The April 2026 updates introduce several changes to enhance the CE+ process and align it more closely with the verified self-assessment VSA.
Verification of update management compliance
Recent audits have revealed instances of organisations ‘applying selective updates’ during the Cyber Essentials Plus (CE+) assessment process. Specifically, when updates are identified as necessary during the CE+ audit, a small number of organisations have only applied these updates to the devices included in the sample being tested, rather than implementing them across their entire CE+ scope. As a result, these organisations have passed the CE+ assessment despite failing to address vulnerabilities across their broader environment.
To address this issue, the CE+ assessment process for update management will be revised. If an organisation fails the initial test of a random sample of devices, they will be required to remediate the issues and undergo a retest. During the retest, the Assessor will not only recheck the original sample, but will also test a new random sample of devices to ensure compliance across the wider environment. This change is designed to prevent organisations from selectively updating only the tested devices and to ensure that all required updates are applied consistently across the entire CE+ scope. It is important to note that a second failure will result in a revocation of the verified self-assessment certificate.
Prohibition of adjustments to the verified self-assessment post-CE+ testing
To maintain the integrity of the certification process, organisations will no longer be allowed to adjust their verified self-assessment (VSA) responses based on the results of the CE+ assessment. The scheme’s Terms and Conditions will be updated to explicitly require that the VSA must be completed, finalised, and remain unchanged prior to the commencement of CE+ testing.
Additional updates to the Requirements Document
The Requirements for IT Infrastructure v3.3 document will include several updates to improve clarity and guidance:
Cloud services definition: A clear definition of cloud services has been added to eliminate ambiguity about what constitutes a cloud service.
Cloud service – A cloud service is an on-demand, scalable service, hosted on shared infrastructure, and accessible via the internet. For the purposes of Cyber Essentials, a cloud service will be accessed via an account (which may be credentials issued by your organisation or an email address used for business purposes) and will store or process data for your organisation.
If your organisation’s data or services are hosted on cloud services, these services must be in scope. Cloud services cannot be excluded from scope.
Improved scoping requirements: The terms ‘untrusted’ and ‘user-initiated’ have been removed as qualifiers for internet connections, simplifying the scoping criteria. Organisations will also need to justify any exclusions from the scope and explain how excluded networks are segregated from in-scope systems.
Application development: The ‘web applications’ section has been renamed ‘application development’ and now references the UK Government’s Software Security Code of Practice. Publicly available commercial web applications are in scope by default, while bespoke and custom components are out of scope.
Guidance on Backups: The guidance on backups has been repositioned earlier in the document to emphasise their importance in enabling organisations to recover quickly from cyber incidents.
User Access Control: The user access control section has been updated to highlight the importance of passwordless authentication methods, such as passkeys, which offer a more secure alternative to traditional passwords.
For more details, refer to the updated Cyber Essentials Requirements for IT Infrastructure v3.3, which will apply to all applications registered after April 26, 2026.
The new Cyber Essentials Danzell Question Set will be published on the 13th of February 2026.