Cyber Essentials 2026: what's changing and what you need to do before April

What Cyber Essentials is and why it matters

Cyber Essentials is the UK government's baseline cybersecurity certification scheme, developed and backed by the NCSC (National Cyber Security Centre) and administered through IASME. It defines five technical controls – boundary firewalls, secure configuration, user access control, malware protection and patch management – that, if properly implemented, defend against the most common categories of cyber attack.

The scheme is mandatory for suppliers bidding for UK central government contracts that involve handling sensitive information or providing certain technical services. Beyond that formal requirement, it's increasingly expected as a baseline across defence, healthcare and financial supply chains – and by cyber insurers who've tightened their underwriting criteria in response to a sustained rise in ransomware claims.

Certification runs for 12 months. There are two levels: Cyber Essentials (self-assessment questionnaire, reviewed by a certifying body) and Cyber Essentials Plus (everything in the self-assessment, plus an independent technical audit carried out by an assessor). Both expire annually – so if you hold a certificate today, you'll be renewing under whichever version of the standard is current at the time.

What's changing in April 2026

The updated standard – release name Danzell – introduces several changes that represent a meaningful step up from the current requirements. Four areas are worth paying particular attention to.

MFA becomes mandatory for all user accounts. Under the current standard, multi-factor authentication is required for accounts accessing services over the internet – primarily remote access and cloud services. From April, MFA becomes a requirement for all user accounts, including those that only access internal systems. This is the change most likely to require active remediation across a broad range of organisations, particularly those running on-premise infrastructure where MFA hasn't historically been a deployment priority.

Cloud services are formally in scope. The current standard handles cloud services inconsistently – some certifying bodies apply scope narrowly, others more broadly. Danzell resolves this by explicitly placing cloud services within the assessment scope. If your organisation uses Microsoft 365, Google Workspace, cloud-hosted line-of-business applications or any other software-as-a-service platform, those services need to be included in your assessment and the relevant controls applied to them. Services you use but don't manage – where the provider controls the underlying infrastructure – need to be documented and the shared responsibility model understood.

The patching window stays at 14 days, but the definition tightens. The 14-day patching requirement for critical vulnerabilities isn't new, but the updated standard sharpens what "critical" means and how compliance is evidenced. Organisations will need to demonstrate a documented, repeatable patching process rather than just asserting that patches are applied on time. If your current approach is ad hoc – relying on someone remembering to check for updates – that won't be sufficient.

Software in scope is more clearly defined. The updated standard tightens the definition of software that falls within the assessment boundary, including web-browsing software and browser plugins. Unsupported software – applications no longer receiving security updates from the vendor – becomes harder to exclude from scope. If you're running legacy applications that haven't received a security update in two or more years, Danzell makes this a more pressing problem than the current standard does.

Why certifying before April makes sense

If your organisation is planning to certify or renew in 2026, the practical question is whether to do it before April or after.

The current standard is less demanding on each of the four points above. Certifying before April means assessing against those existing requirements, which for many organisations – particularly those that haven't yet deployed MFA across all internal accounts or fully mapped their cloud services – represents a materially easier path to certification.

Certification obtained before the April cutover remains valid for 12 months from the date it's awarded. You won't be expected to comply with Danzell mid-term. Your next renewal, however, will be assessed against the new standard – which gives you up to 12 months to address the gaps before you need to demonstrate compliance.

For organisations that are still remediating against the new requirements, attempting certification post-April and failing is an expensive way to find out what needs fixing. Pre-assessment against the Danzell controls before you submit is the better approach regardless of timing.

The three changes that require the most preparation

MFA rollout across all accounts. This isn't just an Azure AD or Entra ID configuration change – it requires identifying every user account in scope, every system those accounts access and every authentication method in use. For organisations with a mix of cloud and on-premise systems, legacy applications that don't support modern authentication protocols can create genuine technical blockers. Mapping the full picture before you start the rollout is essential.

Cloud asset inventory. You can't bring cloud services into scope if you don't know what cloud services you're using. Shadow IT – services adopted without central IT involvement – is consistently one of the most significant gaps we see in pre-assessment reviews. A thorough cloud asset discovery exercise, covering everything from major productivity platforms to project management tools to file-sharing services, needs to happen before the scoping conversation starts.

Patching process documentation. Most organisations do apply patches. Fewer have a documented process that defines who is responsible, how critical vulnerabilities are identified, what the escalation path is if a patch can't be applied within 14 days and how compliance is recorded. That documentation is what Danzell requires – and it's what assessors will be looking for evidence of.

Who's affected – and it's not just government suppliers

The mandatory requirement for government contracts is the headline, but supply chain pressure has pushed Cyber Essentials well beyond the public sector. Prime contractors – the direct government suppliers – are increasingly requiring their own supply chains to hold the certification as a condition of doing business. If you supply goods or services to any organisation that holds a government contract, you may already be facing this requirement contractually.

Defence supply chains have been particularly active in pushing this down to tier-two and tier-three suppliers. Financial services and healthcare are moving in the same direction, with insurers applying pressure from the other side. The practical effect is that the certification is becoming a baseline expectation in a growing number of sectors – not because the law requires it, but because buyers do.

How to certify: self-assessment vs Plus, timeline and who certifies

Cyber Essentials is the self-assessment route. You complete a questionnaire describing your IT environment and the controls you have in place. A certifying body – an organisation accredited by IASME – reviews your responses. If they're satisfied, you receive a certificate. There's no independent technical testing of your systems. The process is faster and lower-cost than Plus, and it's the level required for the majority of government contracts and supply chain requirements.

Cyber Essentials Plus requires everything above, plus an independent technical audit. An assessor carries out external vulnerability scanning, tests devices within scope to verify that endpoint protection and patch levels match what you've described, and reviews configuration settings hands-on. It provides a meaningfully higher level of assurance – and it's the level some clients and contracts specifically require.

For a typical SME with a reasonably well-managed IT environment, the time from starting preparation to receiving a Cyber Essentials certificate is two to six weeks. Organisations that need significant remediation – particularly on MFA or cloud scope – should allow longer. Starting now, before April, leaves enough runway to remediate against the current standard and still submit in time.

Common pitfalls that cause assessments to fail

Scope confusion is the most frequent cause of failed assessments. Organisations define their scope too narrowly – excluding cloud services, remote worker devices or subsidiary systems – and are then questioned by the assessor about assets that should have been included. Getting the scope right before you start is more important than getting through the questionnaire quickly.

BYOD (bring your own device) arrangements create particular difficulty. If personal devices can access corporate systems – email, file shares, business applications – they're in scope. Demonstrating that controls apply to hardware you don't own and can't fully manage is genuinely difficult. Either the devices need to come under managed control, or the network access arrangements need to be structured so that personal devices can't reach in-scope systems.

Unmanaged cloud services are a consistent gap. If a team has been using a cloud platform that central IT wasn't aware of, it almost certainly isn't covered by the controls you've described in your assessment. Cloud asset discovery, done thoroughly, eliminates this risk before the assessor finds it.