Major Cyber Essentials Changes Coming April 27, 2026:

Significant updates to the Cyber Essentials (CE) and Cyber Essentials Plus (CE+) schemes are on the horizon, with a brand‑new question set, Danzell, taking effect from April 27, 2026.

As part of the 2026 IASME scheme update, these changes aim to strengthen security standards, improve clarity for organisations, and ensure more consistent assessment outcomes. This article breaks down the key updates and what they mean for your organisation.

Stricter marking criteria

Mandatory Multi‑Factor Authentication (MFA) for all cloud services

One of the most impactful changes relates to mandatory Multi‑Factor Authentication (MFA) across all cloud services.  MFA will now be a required control for all cloud services where it’s available. If MFA isn’t implemented, the assessment will result in an automatic failure. This change reinforces a fundamental security practice and aligns Cyber Essentials with modern cloud‑security expectations.

What counts as a cloud service?

A cloud service is defined as an On-Demand, scalable service hosted on shared infrastructure and accessible via the internet. For Cyber Essentials purposes, this covers any service accessed via an organisational or business purpose account and used to store or process organisational data.

This applies across SaaS, IaaS, PaaS and includes services such as cloud email, identity providers, remote access services, and administrative access tools.

14‑Day patch requirement (new auto‑fail criteria A6.4 & A6.5)

High risk and critical security updates must now be applied within 14 days of release. Any lapse in doing so becomes an automatic failure and not simply a non-compliance note. This includes updates for operating systems, applications, router and firewall firmware. This change reflects an industrywide emphasis on rapid patching as a fundamental resilience measure.

Greater transparency & clearer scope requirements

The new question set places increased emphasis on clarity and openness.

No word limit on scope descriptions

Organisations must provide detailed and unrestricted descriptions of their assessment scope, improving assessor understanding and reducing ambiguity.

Legal Entities must be listed

All legal entities included within scope will now need to be clearly itemised.

Exclusions must be explained

While exclusions won’t be published publicly, organisations will now be asked to detail what’s excluded and why it’s excluded. This supports better assessor insight and helps ensure the integrity of the certification.

Changes to Cyber Essentials Plus (CE+)

Alongside updates to the basic scheme, CE+ is receiving its own set of enhancements:

Enhanced update verification

Assessors will go beyond retesting previously non‑compliant devices. They will now also test a new random sample to confirm that required updates have been applied consistently across the wider environment.

No more adjusting Verified Self-Assessment (VSA) responses during CE+ testing

Once CE+ testing begins, organisations will no longer be allowed to modify their Verified Self‑Assessment responses. This change ensures that test results accurately reflect the organisation’s true security posture at the time of assessment.

What this means for your organisation

These changes reflect a continued push to reinforce resilience across UK organisations, particularly around update discipline, identity protection, and scoping clarity.

To prepare, organisations should:

• Review update policies and ensure critical patching occurs within 14 days
• Confirm MFA is enabled across every cloud service
• Begin drafting detailed scope descriptions and identifying all legal entities
• Prepare for a more rigorous CE+ verification experience