Cyber Essentials Changes in April 2026: What Businesses Need to Know
From 27 April 2026, Cyber Essentials and Cyber Essentials Plus will change. The update does not introduce new security controls. Instead, it tightens how assessors review, evidence, and enforce the existing requirements.
On the surface, the changes may look minor. In practice, they will have a real impact. The scheme now removes long‑standing ambiguity, particularly around cloud services, patching, and scope.
If your organisation plans to certify or renew in 2026, early understanding will make the difference between a smooth assessment and a stressful one.
The Fundamentals of Cyber Essentials Remain the Same
Cyber Essentials itself remains unchanged. The scheme still centres on the same five technical controls: firewalls, secure configuration, user access control, malware protection, and security update management.
The update does not introduce new controls or require organisations to redesign their security architecture. Instead, it clarifies how assessors interpret and apply those controls, especially in cloud‑first and hybrid environments. As a result, Cyber Essentials now defines more clearly what “good” looks like in practice.
Mandatory MFA for Cloud Services
One of the most important changes coming into force in April 2026 is the requirement for Multi‑Factor Authentication (MFA) to be enabled wherever it is technically available on cloud services.
This applies to all users, not just administrators, and across all cloud platforms accessed using business accounts. Cost, licensing tier or user convenience are no longer accepted justifications for leaving MFA disabled. If a cloud service supports MFA and it has not been enabled, the assessment will fail automatically.
This change reflects the ongoing prevalence of credential‑based attacks and brings the scheme into line with modern security expectations. For many organisations, it will require a careful review of how identity and access controls are applied across Microsoft 365 and third‑party SaaS platforms.
Cloud Services Are Now Clearly In Scope
Another significant update is the formal clarification of what constitutes a cloud service — and the removal of previous loopholes around scoping.
If a service is accessible via the internet, processes or stores organisational data, and is accessed using business accounts, it must now be included in the Cyber Essentials scope. This includes widely used platforms such as Microsoft 365, Google Workspace, CRM systems, HR platforms and cloud identity providers.
Previous approaches that relied on narrowing scope to exclude SaaS platforms are no longer acceptable. Organisations will need to demonstrate that security controls are applied consistently across both on‑premises and cloud environments, rather than treating them as separate concerns.
The 14‑Day Patching Rule Is Enforced Strictly
Cyber Essentials has always required high‑risk and critical security updates to be applied within 14 days. Historically, however, there was some flexibility in how this requirement was interpreted.
From April 2026, that flexibility is removed; critical and high‑risk updates must be applied within 14 days across operating systems, applications, and network infrastructure such as routers and firewalls. If even a single in‑scope system fails to meet this requirement, the organisation will fail the assessment.
This change is designed to reduce real‑world exploit windows and places greater emphasis on having reliable, repeatable patching processes — supported by clear evidence.
Clearer Assessments with the New Danzell Question Set
The existing Willow assessment questions are being replaced by a new question set known as Danzell. This introduces clearer wording, firmer yes‑or‑no outcomes, and fewer opportunities for ‘interpretation’.
The focus shifts away from theoretical compliance and towards controls that are genuinely live and operational at the time of assessment. The aim is to improve consistency across certifications and ensure that declarations accurately reflect real‑world security posture.
For organisations, this means preparation and confidence matter more than ever when submitting an assessment.
Cyber Essentials Plus Becomes a Stronger Assurance
Cyber Essentials Plus is also being reinforced as a true assurance‑level certification rather than a technical spot check. Evidence requirements are becoming more robust, retesting is more consistent, and there is less tolerance for partially implemented or “in progress” controls. Organisations pursuing CE+ should expect greater scrutiny and should prepare accordingly.
For those that already treat Cyber Essentials seriously, this change should feel like a natural progression rather than a step change.
What This Means for Organisations in 2026
For businesses planning to certify or renew after April 2026, the key takeaway is preparation. This update rewards organisations that understand their environment, enforce controls consistently, and can clearly evidence what they declare.
Many will need to review MFA enforcement across cloud services, validate patching processes against the 14‑day rule, and reassess scope — particularly where SaaS platforms are involved. Just as importantly, Cyber Essentials should be treated as a formal assurance activity rather than an administrative task.
Those that rely on interpretation, timing, or partial implementation are likely to find the new approach more challenging.
Final Thoughts
The April 2026 Cyber Essentials update is about credibility, consistency and clarity. The technical controls haven’t changed, the expectations are clearer, and the tolerance for ambiguity has gone. For most organisations, success will come from doing the basics well (and being able to prove it!).
How Wanstor Can Help
As Microsoft partners and Cyber Essentials specialists, Wanstor supports organisations throughout the entire Cyber Essentials journey — from readiness assessments and scoping, through remediation, evidence gathering and certification.
If the 2026 changes feel overwhelming, we can help you approach them with confidence and clarity.
Get in touch to discuss your Cyber Essentials or Cyber Essentials Plus certification: Cyber Essentials Certification & Consultancy | Wanstor