Cyber Essentials April 2026 Changes Explained

Cyber Essentials continues to evolve to reflect the way organisations now operate and the threats they face. From 27 April 2026, updated requirements will come into effect through the new Cyber Essentials Infrastructure v3.3 guidance and updated assessment questions.

These updates aim to strengthen the integrity of the scheme and ensure certification reflects genuine, organisation-wide security controls rather than point-in-time fixes.

The changes are driven by evidence from recent UK cyber incidents showing that most attacks still exploit basic security gaps and known vulnerabilities, often using widely available tools that require relatively little technical skill. Cyber Essentials was designed to prevent exactly these types of attacks.

In this article we break down the key updates and what organisations should be doing now to prepare.

Why Cyber Essentials Is Changing

Cyber Essentials has become an increasingly important standard across the UK. Government departments, public sector organisations and large enterprises are increasingly requiring certification within their supply chains.

Recent data shows that a significant number of cyber incidents originate through third-party suppliers and service providers, which has driven renewed focus on ensuring organisations implement the scheme correctly.

The upcoming updates aim to:

• Protect the credibility of the certification scheme
• Ensure controls are implemented across the whole organisation
• Reduce avoidable cyber attacks
• Improve resilience across UK supply chains

When the Changes Take Effect

The new Cyber Essentials standard (sometimes referred to as “Danzell”) comes into effect on 27 April 2026.

There is also a transition period for organisations already working on certification under the current framework.

Key dates include:

• 26 April 2026 – Last day to create Cyber Essentials accounts under the current scheme
• 26 October 2026 – Deadline to complete existing Cyber Essentials assessments under the previous framework
• 26 January 2027 – Final deadline for Cyber Essentials Plus audits linked to the previous scheme

Organisations planning certification in 2026 should consider how these deadlines affect their timeline.

Key Cyber Essentials Changes in April 2026

Stronger Multi-Factor Authentication Requirements

One of the most significant changes relates to multi-factor authentication (MFA).

Where a cloud service offers MFA, it must now be enabled. Failure to enable MFA when it is available will result in an automatic failure of the assessment.

This requirement applies to a wide range of services, including:

• cloud platforms
• SaaS applications
• remote administration tools
• business social media accounts

If a service genuinely does not support MFA, organisations will not be penalised. However, if MFA is available as a paid feature, organisations are expected to enable it.

14-Day Patching Requirement for Internet-Facing Systems

Cyber Essentials Plus will introduce a stricter expectation around patching vulnerabilities.

All high and critical vulnerabilities on internet-facing systems must be remediated within 14 days.

This applies to both operating systems and applications.

Failure to meet the 14-day remediation window may result in automatic failure of the Cyber Essentials Plus audit.

Where patching within 14 days is not possible, organisations will need to ensure the affected systems are properly segregated or removed from internet exposure.

Improved Scope Verification

Cyber Essentials assessments rely on a clearly defined scope that identifies which parts of the organisation are covered by certification.

Under the updated requirements, assessors will place greater emphasis on verifying that scope definitions accurately reflect the organisation’s network environment.

Scopes must be defined based on technical network boundaries, rather than organisational structures such as departments or job roles.

Certificates will now indicate whether the certification applies to the whole organisation or a partial organisation.

Legal Entity Declarations

Another change relates to organisations with multiple legal entities.

Entities sharing the same Cyber Essentials certification must now be declared during the assessment process rather than after certification.

This change has been introduced to ensure that all organisations included within a certification genuinely share the same network infrastructure and management oversight.

Where legal entities operate independently, separate certifications may be required.

Enhanced Vulnerability Sampling in Cyber Essentials Plus

Cyber Essentials Plus assessments include technical testing to verify the controls declared during the self-assessment.

Under the updated guidance, if high or critical vulnerabilities are discovered during internal vulnerability scanning, assessors may perform additional sampling across more systems.

This change is designed to prevent organisations from simply fixing vulnerabilities on the initially sampled devices rather than implementing controls across the environment.

What Organisations Should Do Now

Although the changes may appear significant, most organisations can prepare effectively by focusing on a few key areas.

Practical steps include:

• Reviewing where MFA is enabled across cloud services
• Ensuring patch management processes meet the 14-day remediation window
• Maintaining an accurate inventory of devices and systems
• Reviewing how certification scope is defined
• Confirming which legal entities are included within certification

Organisations that already follow good security practices will typically find these updates manageable.

Watch Our Cyber Essentials 2026 Webinar

If you would like a practical walkthrough of the changes and what they mean in real assessments, you can watch our recent webinar:

Watch the Cyber Essentials 2026 webinar recording

The session explains the updates, common pitfalls we continue to see, and how organisations can prepare for certification without unnecessary complexity.

How Secarma Supports Cyber Essentials Certification

Secarma supports organisations throughout the Cyber Essentials and Cyber Essentials Plus process.

Our team works alongside organisations to simplify the requirements, prepare evidence efficiently and guide teams through certification with confidence.

Learn more about our Cyber Essentials services here:

Explore our Cyber Essentials and Cyber Essentials Plus services

Cyber Essentials 2026 – Frequently Asked Questions

When do the Cyber Essentials 2026 changes take effect?

The updated Cyber Essentials requirements take effect on 27 April 2026. Organisations beginning certification after this date will complete the assessment using the updated guidance and question set.

What is the Danzell question set?

Danzell is the name given to the updated Cyber Essentials self-assessment question set introduced alongside the Infrastructure v3.3 guidance. It reflects changes to modern technology environments and stronger security expectations.

Will the Cyber Essentials controls change?

The five core Cyber Essentials controls remain the same. However, the guidance and assessment questions have been updated to reflect modern technologies, cloud services and evolving cybersecurity risks.

What is changing with multi-factor authentication?

If a cloud service provides multi-factor authentication, it must now be enabled. Failure to enable MFA where it is available may result in an automatic failure of the Cyber Essentials assessment.

How quickly must vulnerabilities be patched?

Under the updated Cyber Essentials Plus guidance, high and critical vulnerabilities affecting internet-facing systems must be remediated within 14 days.

Can Secarma help with Cyber Essentials certification?

Yes. Secarma supports organisations preparing for Cyber Essentials and Cyber Essentials Plus certification, helping teams understand the requirements and achieve certification efficiently.