Cyber Essentials in 2026: What's Actually Changed and Why It Matters

If you passed Cyber Essentials last year and assumed this year's renewal would be more of the same, you need to read this.

The scheme has gone through two rounds of changes. One landed in April 2025, the other takes effect on 27 April 2026. Together they represent the sharpest tightening since Cyber Essentials launched in 2014. The framework still covers the same five technical controls. The questions haven't been rewritten from scratch. But the way your answers are judged has changed, and for the first time, certain gaps will trigger an automatic failure.

A quick reminder: what Cyber Essentials covers

Cyber Essentials tests five areas of basic security hygiene:

1. Firewalls, controlling what gets in and out of your network
2. Secure configuration, making sure defaults are changed, unnecessary services are off, devices are locked down from the start
3. Access control, limiting who can reach what based on their role
4. Malware protection, running active defences against ransomware, trojans, and the rest
5. Patch management, keeping software, operating systems, and firmware current

None of that has changed. The five controls still form the backbone of the scheme. What has changed is how strictly they're assessed, and how much room you have to work around them.

What changed in April 2025

The 2025 update introduced the Willow question set, replacing the previous Montellier set. If you certified after 28 April 2025, you've already been assessed against these rules. The main changes:

Remote working is now fully in scope. The old scheme talked about “home working.” The new wording says “remote working,”which means untrusted networks like hotel Wi-Fi and coffee shops are explicitly covered. Every device used for business, whether company-issued or personal, is included. If you supplied a router to a remote worker, that's in scope too.

Network equipment needs documenting. You now need to list specific makes and models of your routers, firewalls, and anything else that controls data flow to the internet. A vague reference to “our firewall” won't cut it.

Passwordless authentication is accepted. The scheme now recognises biometrics, security keys, and push notifications as valid authentication methods. About time.

Software licensing matters. Unlicensed software no longer counts as “supported,” even if it technically still receives updates. And if a vendor issues a configuration change to mitigate a critical vulnerability, that now counts as a required patch, not just an optional recommendation.

Most of these changes reflected the way people already work. They tidied up loose language and closed a few obvious gaps. The 2026 update goes much further.

What changes on 27 April 2026

This is where it gets serious. The April 2026 update introduces automatic failure criteria. Specific things that, if missing, will fail your assessment outright. No partial credit. No creative answers on the questionnaire.

MFA on every cloud service, or you fail

If a cloud service you use offers multi-factor authentication, it must be enabled for every user.

It doesn't matter whether MFA is included free or sits behind a paid tier. If the option exists, you have to use it. The only valid exclusion is a platform that genuinely doesn't support MFA at all, and you'll need to justify why you're still using it.

This is going to catch businesses that turned on MFA for their admin accounts but left standard users on password-only. It will also trip up organisations where a handful of staff never completed their MFA registration, or where legacy authentication protocols are still enabled. Legacy auth lets users bypass MFA entirely, and assessors know it.

Critical patches within 14 days, or you fail

High-risk and critical security patches for operating systems and network hardware (routers, firewalls, switches) must be applied within 14 days of release. Miss that window and you fail automatically.

The problem here isn't the policy. Most businesses would agree that critical patches should go on quickly. The problem is proving it. If your patching relies on users clicking “update later” on their laptops, or if your RMM dashboard says everything is green but a manual check would find machines that silently failed to update, you have a problem.

Third-party application patching is the blind spot most people miss. Windows Update might be running fine, but Chrome, Zoom, Adobe Reader, and other common apps routinely fall through the cracks.

Cloud services can't be excluded any more

In previous years, some organisations found ways to scope out their cloud platforms by arguing they didn't “manage” them directly. That door is shut. Any cloud service that holds your organisation's data (Microsoft 365, Google Workspace, Xero, Sage, HubSpot, whatever you use) is automatically in scope.

Development environments and AI tools are in scope too, which is new. And the bar for justifying any exclusion has been raised. Vague or generic reasons won't be accepted. You need a specific, technical explanation for anything you leave out.

Other 2026 changes worth knowing

If you're renewing just before the 2026 deadline under the old rules, your window to complete the assessment has dropped from 12 months to 6 months. And scoping justifications are being scrutinised harder across the board. Saying “we don't manage that” or “it's handled by our provider” isn't going to fly. Assessors are actively looking for woolly answers.

Why this matters beyond compliance

The instinct with any certification change is to treat it as a compliance headache, something you deal with to tick a box and move on. That would be a mistake here.

Cyber Essentials is now a standard procurement filter for government bodies, local councils, and a growing number of large corporates. If you don't hold the badge, you're screened out before anyone reads your proposal. During our research for this article, we came across one business owner who lost a contract worth over £50,000. Not because their work was inferior, but because a competitor had the certification and they didn't.

Supply chains are tightening in the same direction. If you're a critical supplier to a bigger company, expect detailed security questionnaires, sometimes running to a hundred questions or more. Holding Cyber Essentials (or better, Cyber Essentials Plus) gives you a credible baseline to point to.

And then there's insurance. Cyber insurance underwriters have tightened their requirements in step with the scheme changes. They're asking about MFA enforcement, patching timelines, scoping. The exact areas the 2026 update focuses on. Some certification bodies even include a year of free cyber insurance with a successful assessment, which tells you something about how closely these two worlds have converged.

Cyber Essentials vs. Cyber Essentials Plus

Standard Cyber Essentials is a self-assessment. You answer a questionnaire, and a certification body reviews your responses.

Cyber Essentials Plus adds independent verification. An assessor runs external vulnerability scans against your public facing systems, performs internal scans on a sample of your devices, tests your email and browser security, verifies your MFA configuration, and checks whether admin privileges are properly separated.

The Plus assessment regularly catches things that self-assessment misses. The most common one: management tools reporting that everything is patched when individual machines have silently failed to update. Assessors call it the “lying dashboard” problem. Your RMM says green, the scan says otherwise.

If your certification is for a contract requirement or supply chain assurance, Plus carries significantly more weight. It tells a customer that an independent expert tested your defences, rather than you filling in a form saying they're fine.

What to do before your next assessment

If you're approaching certification or recertification this year, there are a handful of things worth sorting out sooner rather than later.

MFA is the obvious one. Go through every cloud service your business uses and confirm it's enabled for every user, not just the admins. Disable legacy authentication protocols in Microsoft 365 and anywhere else they might be lurking. And check that everyone has actually completed their enrolment. “Turned on” is not the same as “enforced.” We see that distinction trip people up more than anything else.

Patching is the next one, and the 14 day window is tighter than most people realise. Don't rely on dashboards alone. Run a manual check on a sample of machines to verify that what your tools report matches reality. Third-party applications are where it usually falls apart: Chrome, Adobe, Zoom, browser extensions. Windows Update can be running perfectly while everything else is months behind.

Scoping needs a proper review. List every cloud service that holds company data, every device used for business (including personal devices), and every remote working arrangement. Assume it's all in scope unless you can give a specific, technical reason why something should be excluded.

Legacy systems are still passable if handled correctly. An old machine controlling specialist equipment, for example, can stay in scope as long as it's network segmented, stripped to minimum functionality, fully documented, and you have a written plan for replacing it.

The admin privilege issue is worth mentioning because it's one of the most common failure points and one of the easiest to fix. Nobody should be reading email or browsing the web on an account with admin rights. Just stop doing it.

And finally, before the real assessment, run your own vulnerability scan (internal and external) to catch anything an assessor would find. Better to discover the problems on your own terms than have them handed to you in a failure report.

Where this is heading

The 2026 changes aren't happening in isolation. Since 2014, Cyber Essentials has gradually moved from a “good enough” standard to something closer to genuine verification. The auto-fail criteria are new, but the direction has been clear for a while. Less tolerance for vague answers, tighter scoping, higher burden of proof.

None of this requires a massive transformation programme. The five controls haven't changed. The fundamentals are the same as they were a decade ago. What's changed is that you actually have to proveyou're doing them, properly and consistently, across your whole environment. For businesses that have been treating certification as an annual formality without much changing underneath, 2026 is the year that stops working.

Frankly, it's overdue.

Bluestone Cyber helps UK businesses achieve and maintain Cyber Essentials and Cyber Essentials Plus certification as part of our security assessment services. If you're preparing for certification or unsure how the 2026 changes affect you, get in touch. We'll tell you exactly where you stand.