The government approved Cyber Essentials scheme centres around five technical controls that help protect organisations from the most common cyber attacks. The Requirements for IT infrastructure document is the equivalent of the Cyber Essentials standard and details the requirements to be met under each of the five technical controls.
As technology continues to advance and cyber threats evolve, it is important for the Cyber Essentials requirements to adapt and remain both relevant and effective. To guarantee this, a team of experts from the National Cyber Security Centre and IASME carries out an annual review and update of the Cyber Essentials requirements.
The next annual update to Cyber Essentials will ‘go live’ in April 2026. To give applicants enough time to prepare for the changes, we are providing six months’ notice. The updates to Cyber Essentials Requirements for IT Infrastructure v3.3 will apply to all assessment accounts created after April 27, 2026. Once an assessment account is created, the applicant has six months to complete the assessment. Any active assessment accounts set up before April 27th will continue to use the previous version of the assessment questions.
What are the upcoming changes to Cyber Essentials?
The upcoming changes to the Cyber Essentials requirements document are minor and primarily aim to provide clearer definitions, ensuring greater clarity and consistency. These adjustments are not expected to significantly impact compliance for most organisations.
Any new or changed wording in the requirements document is highlighted below in Blue.
Changes to the marking criteria
Additional changes to the question set and marking criteria, aligned with the requirements document, will be introduced and published later this year.
One significant change to the marking process makes multi-factor authentication (MFA) mandatory.
MFA is already required by Cyber Essentials, however the expectation has changed, so that where cloud services have MFA available—whether free, included in a cloud service, connected through another service, or a there is a fee paying option—and it is not implemented, this will result in an automatic failure.
The change to the marking emphasises the critical role of MFA in protecting systems. This represents a notable shift that could have a substantial impact on compliance for many organisations. It is strongly recommended that organisations review this change carefully and take proactive steps to prepare.
Read more here.
Changes to the Requirements document
- A definition for cloud services
A definition for a cloud service has been included for the first time (as outlined below) to provide greater clarity. This addition aims to remove ambiguity regarding whether certain features, services or tools qualify as cloud services. There is also a definitive statement to confirm that cloud services cannot be excluded from the scope.
Cloud service – A cloud service is an on-demand, scalable service, hosted on shared infrastructure, and accessible via the internet. For the purposes of Cyber Essentials a cloud service will be accessed via an account (which may be credentials issued by your organisation, or an email address used for business purposes), and will store or process data for your organisation.
If your organisation’s data or services are hosted on cloud services, these services must be in scope. Cloud services cannot be excluded from scope.
- Improved scoping requirements
The scoping criteria have been updated to remove the terms ‘untrusted’ and ‘user-initiated’ as qualifiers for internet connections. This change simplifies the statements and eliminates ambiguity, making it clear that any specified device connected to the internet—whether capable of inbound or outbound connections—is within scope.
Additionally, where networks are excluded from scope, applicants will need to explain what parts of their infrastructure are excluded, and why, and how they have been segregated from other networks.
Where parts of an organisation’s infrastructure have been excluded from scope, you will need to justify the reason for a partial scope to your assessor.
The requirements apply to all devices and software in scope and which meet any of these conditions:
- Can accept incoming network connections from internet-connected devices
- Can establish outbound connections to devices via the internet
- Control the flow of data between any of the above devices and the internet
- Updated guidance for web applications
The web applications section has been renamed ‘application development’ and will now refer to the UK Government’s Software Security Code of Practice which was launched earlier this year.
Application development
Publicly available commercial web applications (rather than apps developed in-house) are in scope by default. Bespoke and custom components of web applications are out of scope. The best way to mitigate vulnerabilities in applications is robust development and testing in line with commercial best practice. See the Software Security Code of Practice for further details.
- Guidance on backups
The guidance on backups has been repositioned earlier in the document (immediately following the definitions and before the scope overview). This change emphasises the importance of having backups in place, enabling organisations to recover quickly in the event of a cyber incident.
- User access control section
The user access control section has been updated to place greater emphasis on passwordless authentication and multi-factor authentication (MFA). Passkeys in particular offer an easier, faster and more secure way to log in and the NCSC would like to see them become the default authentication recommendation.
Additionally, this section has been repositioned within the document for improved clarity and focus.
Passwordless authentication is an authentication method that uses a factor other than the user knowledge to establish identity. Examples include but are not limited to: FIDO2 authenticators, biometric data, security keys or tokens, one-time codes, QR codes, and push notifications.
Passwordless authentication
Passwordless authentication is a method of verifying identity without using traditional passwords.
Common examples of passwordless authentication include:
Passkeys: Passwordless login technology based on public-key cryptography used to securely authenticate a user. This includes FIDO2 authenticators which are considered as Passkeys. FIDO2 authenticators are regarded as MFA because user authentication is performed. FIDO2 is a set of standards that define cryptographic authentication using public key credentials and protocols to provide more secure alternatives to passwords for accessing online services.
Take a look at the updated requirements in this link Cyber Essentials Requirements for IT Infrastructure v3.3 for all applications registered after April 27 2026.
The new question set will be published by early February 2026.