The April 2026 Cyber Essentials Requirements

What You Need to Know From Today

Published: 27 April 2026 | Mark Kindred, Senior Assessor, Get Cyber Certified

If you are reading this today, the April 2026 Cyber Essentials question set is now live. From today — 27 April 2026 — all new Cyber Essentials assessment accounts will be created against the updated question set, and the requirements have changed in some important ways.

I have been assessing Cyber Essentials since the scheme launched in 2014, and this is one of the more significant updates we have seen. The April 27th Cyber Essentials question set introduces new automatic failure conditions, tightens the rules around cloud services and MFA, and brings greater transparency requirements to the certification scope. If you are renewing your certification or applying for the first time, you need to understand what has changed before you begin.

In this article I will walk you through everything you need to know about the new Cyber Essentials requirements so you can approach your assessment with confidence.

Who Does This Apply To?

The new April 2026 Cyber Essentials question set applies to all new assessment accounts created on or after 27 April 2026.

If your organisation already had an account open before today, you have a six-month window to complete your assessment under the previous version of the scheme. However, I would encourage you not to treat that as an excuse to delay — the sooner you understand the new requirements, the better placed you will be.

For anyone starting fresh from today, the updated question set and the new marking guidance apply in full.

Where to Find the Official Documentation

Before I go into the detail, here are the two documents you should have open alongside this article:

• Cyber Essentials: Requirements for IT Infrastructure v3.3 (NCSC, April 2026): https://www.ncsc.gov.uk/files/cyber-essentials-requirements-for-it-infrastructure-v3-3.pdf

• Differences between the old and new question set (IASME): https://iasme.co.uk/cyber-essentials/differences

Both are essential reading. The NCSC document is the authoritative technical standard — v3.3 replaces v3.2 and is dated April 2026. The IASME differences document maps the specific question-by-question changes so you can see exactly what has been added, removed, or reworded.

What Has Changed in the April 2026 Cyber Essentials Question Set?

1. New Auto-Fail Questions — MFA on Cloud Services

This is the change I expect to catch the most organisations out.

Multi-Factor Authentication (MFA) must now be enabled for all cloud services where it is available. The v3.3 requirements document is explicit on this point: authentication to cloud services must always use MFA.

Critically, "available" is interpreted broadly. It does not matter whether MFA:

• Comes included in your subscription as standard

• Is offered as an optional add-on at extra cost

• Is listed as a feature you have not yet activated

If MFA is available to you within your cloud service, and it is not enabled, your assessment will result in an automatic failure. Full stop.

I have seen many organisations — particularly smaller businesses — who have Microsoft 365, Google Workspace, or other SaaS platforms configured without MFA enabled across all accounts. Under the April 27th Cyber Essentials question set, that is no longer a risk you can carry into certification. It must be resolved before you submit.

The v3.3 document also clarifies that FIDO2 authenticators are now explicitly recognised as a form of MFA, and passkeys are acknowledged as a password less authentication method — a welcome modernisation that reflects where authentication technology has moved.

2. New Auto-Fail Questions — 14-Day Patching for Applications

The 14-day patching requirement for high-risk and critical security updates is not new — but what is new in the April 2026 question set is that two separate auto-fail questions now cover this area explicitly:

1. Operating systems and router/firewall firmware — high-risk or critical security updates must be applied within 14 days of release.

2. Applications (including extensions and associated files) — high-risk or critical security updates must equally be applied within 14 days of release.

The v3.3 requirements document defines "high-risk or critical" as updates that:

• Are described by the vendor as critical or high risk, or

• Address vulnerabilities with a CVSS v3 base score of 7.0 or above, or

• Come without any vendor severity rating at all (in which case you must treat them as high risk)

A practical point worth noting: where a vendor bundles a single update that covers vulnerabilities of mixed severity levels, and any one of those vulnerabilities is critical or high risk, the entire update must be applied within the 14-day window. You cannot defer a patch bundle simply because some of its contents are lower severity.

3. Cloud Services — Now Definitively in Scope, No Exceptions

The April 2026 Cyber Essentials question set removes any ambiguity that may have existed in previous versions. The v3.3 requirements document states clearly:

If your organisation's data or services are hosted in cloud platforms — whether that is IaaS, PaaS, or SaaS — those services are in scope. This is not optional and it is not negotiable.

The document now also provides a formal definition of what constitutes a cloud service:

This definition is important because it removes the grey area that some organisations have tried to exploit by arguing that certain platforms were not "really" cloud services. If it fits that definition — and most modern business platforms do — it is in scope.

The update also removes the qualifiers "untrusted" and "user-initiated" from scope definitions, which simplifies and strengthens the scoping rules.

4. Greater Scope Transparency

The April 27th Cyber Essentials question set introduces new requirements around how certification scope is described and documented:

• Certificates will now permit unlimited scope descriptions, giving organisations the space to properly articulate what is and is not covered.

• Where parts of your infrastructure are out of scope, you must describe them and explain how they are segregated from in-scope systems.

• Certificates will now display the legal entity name, address and company registration number.

• It will be possible to request new certificate types per legal entity within a wider organisational scope (subject to a small additional charge).

I welcome these changes. Greater transparency about what a certificate actually covers benefits everyone — the certified organisation, their customers, and their supply chain partners who rely on the certificate as a trust signal.

5. "Point in Time" Certification — Clarified

Cyber Essentials has always been a point-in-time certification, but there has sometimes been ambiguity about what "point in time" actually means.

The April 2026 update clarifies this definitively: the point in time is the certificate issue date.

This means all systems within scope must be fully supported, compliant, and meet the requirements on the date the certificate is actually issued — not the date you complete the self-assessment questionnaire, and not the date you submit your application. If you are cutting it close on patching or device support status, that is the date that matters.

6. Updated Board-Level Declaration

The declaration of compliance signed by a board member or director has been updated for the new question set.

The updated declaration now includes an explicit commitment to maintain compliance throughout the certification period — not just at the moment the assessment is completed. This is a meaningful change. It formalises the expectation that Cyber Essentials is an ongoing commitment, not a one-time exercise you complete and forget about until next year's renewal.

7. Changes to Secure Configuration

The v3.3 document updates the Secure Configuration control to reference Software as a Service (SaaS) explicitly across the control's scope. Secure configuration now applies to servers, desktop computers, laptops, tablets, mobile phones, thin clients, IaaS, PaaS, and SaaS — a broader application than in previous versions.

The device unlocking section has also been tightened. Where credentials used to unlock a device are also used for authentication, the full password requirements from the User Access Control section must be applied to those credentials.

8. Updates to Software Development Scope

The Web Applications control has been renamed and expanded. It is now called Application Development and references the UK Government's Software Security Code of Practice.

The updated v3.3 document clarifies that publicly available commercial web applications are in scope by default, while bespoke and custom components are out of scope. The expectation is that custom development follows the Software Security Code of Practice as a mitigation for application-layer vulnerabilities.

9. Changes Affecting Cyber Essentials Plus

If you are planning a Cyber Essentials Plus assessment — or if your self-assessment certification was tested at Plus level — there are additional changes you need to be aware of:

• Where update management failures are identified during Plus testing, corrective action must apply across the entire scope, not just the sampled devices on which the failure was found.

• If a retest following Plus testing fails, your verified self-assessment certificate may be revoked.

• Organisations will no longer be permitted to amend their self-assessment answers once Cyber Essentials Plus testing has begun.

That last point is particularly important. I would strongly advise any organisation planning a Plus assessment to ensure their self-assessment answers are accurate and complete before Plus testing commences — there will be no opportunity to correct them once it has started.

What Has Not Changed

The five technical control areas remain the same:

1. Firewalls

2. Secure Configuration

3. Security Update Management

4. User Access Control

5. Malware Protection

The fundamental structure of the scheme — a self-assessment questionnaire marked by an accredited certification body, with an optional Plus level involving independent technical testing — is unchanged. The IASME Consortium remains the governing body. Assessment bodies like Get Cyber Certified remain the point of contact for organisations seeking certification.

My Practical Advice Before You Start

Having worked with the Cyber Essentials scheme since 2014, here is my practical guidance for anyone approaching the April 2026 Cyber Essentials question set:

Check your cloud services for MFA first. Audit every cloud platform your organisation uses and confirm MFA is enabled. This is your highest-risk auto-fail area and the one I see causing the most problems in assessment.

Review your patching process. Do you have a documented, evidenced process for identifying and applying high-risk and critical updates within 14 days? If not, put one in place now — before you start your assessment.

Document your scope properly. The new requirements expect you to articulate your scope clearly, including any out-of-scope areas and the segregation controls in place. Take time to think this through before you start the questionnaire.

Check device support status. All software on in-scope devices must be licensed and supported on the date your certificate is issued. Unsupported software — even on a single device — is a failure.

Ensure your board-level signatory understands what they are committing to. The updated declaration is a meaningful commitment. The person signing it should understand the new ongoing compliance expectation.

Check the NCSC and IASME blogs pages and articles. This guide is designed to signpost the changes and direct you to the official support pages at NCSC and IASME. See the further reading section below.

How Get Cyber Certified Can Help

At Get Cyber Certified, our Cyber Essentials Supported service is designed specifically to take the risk and uncertainty out of this process.

We carry out a structured gap analysis against the new question set and marking guidance before you submit anything. Where gaps exist, we provide clear remediation guidance. We only submit your application for marking once we are confident you meet the requirements.

In practice, this means clients using our supported service achieve certification first time. With the new auto-fail conditions introduced in the April 2026 question set, that pre-submission assurance is more valuable than ever.

👉 Explore our Cyber Essentials Supported service

If you would like to discuss your situation before you get started, you are welcome to contact us directly:

📧 team@getcybercertified.co.uk 📞 0333 339 0383

Further Reading

• New Cyber Essentials Changes Announced for April 2026 — Get Cyber Certified

• Cyber Essentials Requirements for IT Infrastructure v3.3 — NCSC

• Differences Between Old and New Question Set — IASME

• Official IASME Announcement

Mark Kindred is a Senior Assessor at Get Cyber Certified (getcybercertified.co.uk), an IASME-accredited Cyber Essentials certification body. He has been assessing Cyber Essentials since the scheme's inception in 2014 and is a founding IASME member. This article is intended to signpost the NCSC and IASME official guidance. Get Cyber Certified or Mark Kindred is in no way liable for any inaccuracies in this article.