Cyber threats are constantly evolving, and security frameworks must evolve with them. From 27 April 2026, organisations applying for Cyber Essentials certification will be assessed against an updated version of the framework designed to reflect modern IT environments, increased cloud adoption and the growing importance of identity security.
While the fundamental principles behind Cyber Essentials remain unchanged, the new requirements will affect how organisations prepare for certification and how their technology environments are assessed. Businesses planning to certify or renew in 2026 should begin preparing now to avoid delays, remediation work or failed assessments.
What Is Cyber Essentials?
Cyber Essentials is a UK government-backed certification scheme designed to help organisations protect themselves against common cyber threats. The framework provides a baseline set of security controls that organisations must implement to demonstrate they are managing cyber risk effectively.
The certification focuses on several core areas of cyber security, including network protection, secure system configuration, access management, malware protection and keeping systems updated with security patches. For many organisations, Cyber Essentials has become an important trust signal, particularly when working with government contracts, regulated industries or security-conscious clients.
What’s Changing in April 2026?
The upcoming update introduces refinements intended to strengthen security and clarify expectations for organisations operating in increasingly complex digital environments. One of the most significant changes relates to the role of cloud services in the certification process.
Cloud Services Will Be Fully in Scope
Many organisations now rely heavily on cloud platforms to store and manage their business data. The updated requirements make it clear that these services must be included within the Cyber Essentials assessment scope.
Platforms such as Microsoft 365, Google Workspace and cloud infrastructure providers like Microsoft Azure or Amazon Web Services will need to be properly secured and considered as part of the organisation’s certification. While cloud providers are responsible for the security of the infrastructure itself, organisations remain responsible for how these platforms are configured, accessed and managed.
For businesses that rely heavily on cloud collaboration and data platforms, this change will likely increase the scope of the assessment and require closer attention to configuration, permissions and governance.
Multi-Factor Authentication Becomes Mandatory
Identity security is another area receiving greater attention in the updated framework. Multi-factor authentication (MFA) will now be required wherever it is available, particularly for administrator accounts, remote access systems and cloud services.
This reflects the reality that compromised credentials remain one of the most common causes of cyber incidents. By requiring MFA as a standard security measure, the updated framework aims to significantly reduce the risk of unauthorised access resulting from phishing attacks or weak passwords.
For organisations that have not yet implemented MFA consistently across their platforms, this will be an important step in preparing for certification.
Clearer Guidance on Assessment Scope
Another update focuses on improving clarity around what should be included within the Cyber Essentials scope. Any device or system that connects to the internet, manages network traffic or accesses company data may need to be included in the assessment unless there is a clearly defined and segregated environment.
As hybrid and remote working environments become the norm, this means organisations may need to review how laptops, remote devices and cloud-connected systems are managed. Ensuring devices are properly secured, patched and monitored will be critical in meeting the new requirements.
Greater Focus on Secure Application Development
The updated framework also expands the previous “Web Applications” section into a broader focus on application development security. This change aligns the scheme more closely with modern software security practices and the UK government’s broader guidance around secure development.
Organisations that develop or host applications internally will be expected to demonstrate stronger practices around vulnerability management, patching and secure coding standards. This ensures that security is considered not only at the infrastructure level but also within the applications that process organisational data.
Increased Emphasis on Backups and Recovery
The 2026 update also reinforces the importance of effective backup and recovery processes. With ransomware attacks continuing to target organisations of all sizes, having reliable backups is now seen as a critical component of cyber resilience.
Organisations will need to demonstrate that backup processes are in place, regularly maintained and capable of restoring systems following an incident. Beyond simply creating backups, businesses should also ensure recovery procedures are documented and tested so operations can be restored quickly if a cyber attack occurs.
Changes to Cyber Essentials Plus
The changes also extend to Cyber Essentials Plus, the independently verified version of the certification. The updated process introduces stricter controls to ensure that security practices apply across the entire environment rather than just the devices selected for testing.
Organisations will also need to confirm that their self-assessment information remains accurate throughout the certification process. Once Cyber Essentials Plus testing begins, the information submitted cannot be altered, which increases the importance of preparing thoroughly before starting the assessment.
When Do the Changes Take Effect?
The updated requirements will apply to all Cyber Essentials assessments created from 27 April 2026 onwards. Organisations beginning their certification process before this date can still complete their assessment under the current version, provided it is finalised within the standard timeframe.
For businesses planning certification or renewal later in the year, it may be worth reviewing internal systems now to determine whether they are ready for the updated requirements.
Preparing for the New Cyber Essentials Requirements
Although the changes are not a complete overhaul of the scheme, they do highlight a shift toward stronger cloud security, identity protection and operational resilience. Organisations that rely heavily on cloud platforms or hybrid working models may need to take a closer look at how their environments are configured and secured.
Early preparation is the best way to ensure the transition to the updated framework is smooth. Reviewing access controls, confirming that multi-factor authentication is enabled and ensuring systems are properly patched will all help reduce the risk of issues during certification.
How 101 Data Solutions Can Help
At 101 Data Solutions, we help organisations build secure, well-governed data environments that support both operational efficiency and regulatory compliance.
With Cyber Essentials placing greater emphasis on cloud services and access management, having properly configured data platforms is more important than ever. Our team works with organisations to ensure platforms such as SharePoint and Microsoft 365 are structured, secured and governed in a way that supports both cyber security and modern collaboration.
As the April 2026 changes approach, organisations that invest in the right data and governance foundations now will be far better positioned to meet the new requirements and maintain a strong security posture.