The governing body for the Cyber Essentials scheme, IASME Consortium Ltd, has announced important updates to the scheme that will take effect in April 2026.

These new Cyber Essentials changes affect the question set, marking guidance, certification process and supporting documentation. If your organisation is preparing for renewal or exploring how to get Cyber Essentials certified for the first time, it is essential to understand what is changing.

You can read the official announcement from IASME here:

https://iasme.co.uk/articles/important-update-changes-to-cyber-essentials-for-april-2026/

You should also review the updated requirements document published by the National Cyber Security Centre (NCSC): Cyber Essentials Requirements for IT Infrastructure v3.3

https://www.ncsc.gov.uk/files/cyber-essentials-requirements-for-it-infrastructure-v3-3.pdf

When Do the Changes Apply?

The updated scheme will apply to all new assessment accounts created on or after 27 April 2026.

Organisations with accounts created before that date will have six months to complete certification under the current version of the scheme.

What Are the New Cyber Essentials Changes?

The April 2026 update introduces several significant adjustments to strengthen assurance, improve clarity and tighten compliance expectations.

1. Stricter Marking and New Auto-Fail Questions

IASME has introduced additional automatic failure conditions within the assessment.

Multi-Factor Authentication (MFA)

Multi-Factor Authentication must now be enabled for all cloud services where it is available.

This applies regardless of whether MFA is:

• Included as standard

• Available at additional cost

• Optional within a subscription tier

If MFA is available but not enabled, the assessment will result in an automatic failure.

Update Management – 14 Day Requirement

Two new auto-fail questions relate to the installation of high-risk or critical security updates.

Organisations must ensure that:

• High-risk or critical security updates for operating systems and router/firewall firmware are installed within 14 days of release.

• High-risk or critical security updates for applications (including extensions and associated files) are installed within 14 days of release.

Failure to meet this requirement will result in automatic failure.

2. Improvements to Scope Transparency

IASME has made several changes to improve clarity around certification scope:

• Certificates will allow unlimited scope descriptions.

• Organisations must describe any out-of-scope areas and explain how they are segregated.

• Certificates will list the legal entity name, address and company number.

• It will be possible to request new certificate types per legal entity within a wider scope (subject to a small charge).

These changes improve transparency about what is and is not covered by certification.

3. Clarification of “Point in Time” Certification

Cyber Essentials certification is a snapshot of compliance.

IASME has clarified that the “point in time” is the certificate issue date.

Systems must be fully supported and compliant on the date the certificate is issued.

4. Updated Declaration of Compliance

The declaration signed by a board member or director has been updated.

It now explicitly confirms a commitment to maintain compliance throughout the certification period, not just at the time of assessment.

Cyber Essentials Plus Updates

The changes also affect Cyber Essentials Plus assessments:

• Where update management failures are identified, corrective action must apply across the entire scope, not just the sampled devices.

• If a retest fails, the verified self-assessment certificate may be revoked.

• Organisations will no longer be permitted to adjust their verified self-assessment answers once Cyber Essentials Plus testing has begun.

These updates strengthen the integrity of the certification process.

Updates in the Requirements for IT Infrastructure v3.3

The updated Requirements for IT Infrastructure document includes several clarifications:

• A clear definition of cloud services has been added.

• Cloud services that process organisational data or deliver organisational services must be in scope.

• Qualifiers such as “untrusted” and “user-initiated” have been removed from scope definitions.

• The Web Applications control has been expanded and renamed Application Development, referencing the UK Government Software Security Code of Practice.

• Backup guidance has been repositioned earlier in the document to emphasise its importance.

• The User Access Control section highlights modern authentication methods, including password less approaches and passkeys.

All organisations certifying for Cyber Essentials should review the full v3.3 document carefully.

How to Get Cyber Essentials Certified Under the New Rules

With stricter auto-fail questions and tighter timelines, preparation is now more important than ever.

At GetCyberCertified, our Cyber Essentials Supported service is specifically designed to remove risk from the process.

👉 https://www.getcybercertified.co.uk/product-page/cyber-essentials-supported

Our supported service includes:

• A structured gap analysis against the current question set and marking guidance

• Clear remediation guidance

• A managed remediation loop

• Submission for marking only when compliance is confirmed

This controlled approach means applicants only submit once we are confident they meet the requirements. In practice, this results in clients achieving certification first time when certifying through our supported service.

With the new Cyber Essentials changes introducing additional automatic failure conditions, this structured pre-submission assurance is a great way of ensuring your organisation meets the Cyber Essentials standard. Feel free to explore our supported service using the link below.

Preparing for April 2026

If you are:

• Renewing in 2026

• Preparing for first-time certification

• Planning to upgrade to Cyber Essentials Plus

Now is the time to review the updated requirements and assess any gaps.

The April 2026 update is one of the more significant scheme refinements in recent years. Understanding the changes early will ensure a smoother path when certifying for Cyber Essentials under the revised framework.

If you would like support navigating the updated requirements, our team is ready to help. email team@getcybercertified.co.uk or call us on 0333 339 0383 and start your journey today!