Blog
Cyber Essentials is changing
Every year Cyber Essentials is reviewed and aligned to evolving cyber threats ensuring that it provides a comprehensive security standard for organisations in the UK.
IASME and the National Cyber Security Centre have collaborated to make significant updates to the scheme that will provide clarity, consistency and effectiveness, while maintaining the five core controls:
- Boundary firewalls and internet gateways
- Secure configurations
- Access controls
- Malware protection
- Patch management
Cyber Essentials
What you need to know
Do you know what the five security protocols are?
Find out in our comprehensive guide on Cyber Essentials providing you with all the information you need, from what Cyber Essentials is, to the key benefits of having it!
What’s changing to Cyber Essentials in April 2026?
Mandatory MFA
Multi-factor authentication (MFA) is mandatory for all user and admin access to cloud services. If MFA is available but not enabled, it is an automatic fail.
Stricter patching
High-risk and critical patches (including firmware) must be applied within 14 days of release.
Cloud scope clarification
Cloud services (SaaS, PaaS, IaaS) are now explicitly included in scope. If you use it to store or process data, it must be protected.
Improved scoping and transparency
Organisations must provide a detailed scope description on their certificates and define all legal entities included.
New assessment questionnaire
The “Danzell” question set replaces the “Willow” set, providing clearer, more precise requirements.
Cyber Essentials Plus (CE+) changes
- No changing post-test: Self-assessment answers cannot be modified once CE+ testing begins.
- Wider remediation: If patching failures are found during CE+ sampling, the fix must be applied to the entire environment, not just the test sample.
What do these changes mean?
These updates will ensure that your organisation is more secure in the future, but the immediate impact will be to renewals end of April onwards, these may take longer, therefore engage with your certificate provider sooner, start to look for any gaps in MFA, cloud infrastructure and patching, make sure all devices are fully supported and updated, and expect more detailed evidence requests.
Russell Gower-Leech
Cybersecurity Manager
Russell Gower-Leech is the Cybersecurity Manager at Select Technology, leading the delivery of robust, standards-led cybersecurity strategies for organisations across Kent and the South East.
He works closely with business leaders to strengthen security posture, reduce cyber risk, and embed effective security practices that protect operations, data, and people. Russell is known for cutting through complexity, translating technical risk into clear, actionable guidance that supports confident decision-making.
A certified assessor for Cyber Essentials, Russell brings over 18 years’ experience in technical solutions architecture and cybersecurity leadership. He actively monitors the evolving threat landscape and emerging technologies to ensure clients remain resilient against modern cyber threats. His areas of expertise include cybersecurity strategy, Microsoft 365 security, cloud platforms, information security, and IT governance.