This website uses cookies to enhance the user experience.

By continuing to access this site, you consent to the use of cookies.

Dolphin IT Solutions

Cyber Essentials Plus changes are coming in April 2026 — what UK businesses need to do now

JWJoshua WhiteUpdated: Tue Apr 21 202610 min read

Cybersecurity is no longer a problem reserved for large enterprises. The UK government’s latest campaign is explicitly aimed at smaller firms, warning that cyber criminals look for weak points, not just famous brands.

The numbers behind that message are hard to ignore: the government says cyber threats cost UK businesses £14.7 billion a year, with significant incidents costing an average of £195,000 each.

Around half of the UK’s small businesses have experienced a breach or cyberattack in the last year. A ministerial letter to small businesses published last November also says that 35% of micro businesses reported phishing attacks in the previous year.

That is exactly why Cyber Essentials still matters; It provides organisations with a practical baseline built around five technical controls: firewalls, secure configuration, security update management, user access control and malware protection. The Government is also pointing to a clear outcome: organisations with Cyber Essentials accreditation are far less likely to make a cyber insurance claim, which is a strong signal that the scheme is doing what it was designed to do.

The Cyber Essentials framework is set to be updated on 27th April 2026, with a new version of the requirements and testing standards coming into effect. Organisations preparing for their Cyber Essentials assessment from this date onwards will be assessed under the new specification.

The headline change is not new controls: it is stricter assurance

The five core controls are not being replaced. What is changing is the level of evidence and consistency expected from organisations undertaking the accreditation. IASME says the updated framework is about removing ambiguity and tightening the marking criteria around critical controls.

One of the biggest changes is multi-factor authentication. Under the April 2026 update, if a cloud service offers MFA, failing to enable it will result in an automatic failure. IASME is clear that this applies whether MFA is included for free, available through a linked identity service, or only accessible via a paid option. That aligns with the updated requirements document, which states that authentication to cloud services must always use MFA where it is available.

The second major shift is patching discipline. IASME has confirmed that two security update questions become auto-fail points: one for operating systems and router / firewall firmware, and one for applications. The underlying NCSC requirement is that high-risk or critical security updates must be applied within 14 days of release.

The scope of assessment is also getting tighter; the updated requirements define cloud services more explicitly, stating that cloud services cannot be excluded from scope. The framework now also makes clear that scope must now cover any devices or software that can handle inbound / outbound internet-connected traffic or control the flow of data between those devices and the internet. Where an organisation uses a partial scope, it must justify that choice to the assessor and explain how excluded areas are segregated.

There are also some important supporting changes around resilience and access. The updated requirements place more emphasis on backups, and the user access control section gives greater prominence to passwordless authentication, including passkeys and FIDO2 authenticators, which the NCSC treats as MFA when user authentication is performed.

What changes specifically for Cyber Essentials Plus?

The currently published Cyber Essentials Plus (CE+) test specification already requires assessors to verify that the CE+ assessment scope matches the valid Cyber Essentials self-assessment certificate, and to verify that the systems being tested match that scope. Any partial-scope sub-sets must also be verified to have been segregated effectively before testing begins. In other words, CE+ was already moving toward tougher validation before the April 2026 update.

From April 2026, IASME says the CE+ process will go further in two important ways.

Firsty, if an organisation fails the initial patching test on a random sample of devices, remediation and retest will not be limited to the original sample: the assessor will also test a new random sample to check that fixes have been applied across the wider CE+ scope.

Secondly, organisations will no longer be allowed to change their verified self-assessment responses after CE+ testing starts. IASME also says a second failure in this retest scenario will result in the verified self-assessment certificate being revoked.

That matters because it changes the mindset required for Cyber Essentials Plus. The old temptation to “fix the sample” is being closed off. Going forward, CE+ is more clear about demonstrating that your controls work consistently across the environment, not just on the handful of devices that happened to be inspected.

The new question set shows what preparation now looks like in practice

The updated specification makes the operational impact much clearer. Organisations are now being asked to:

  • Name every legal entity in scope
  • Describe excluded networks in a partial scope
  • Explain how sub-sets are segregated
  • Account for home and remote workers
  • List all third-party cloud services in use, including social media accounts used for business.

The updated framework also makes clear that cloud services cannot be excluded and that sub-sets must be created using a firewall or VLAN, not softer logical methods.

The new specification also shows how much more evidence-ready organisations will need to be: user device models are no longer required for laptops, desktops, tablets and mobiles, but make and operating system versions still are; make and models are still needed for routers and firewalls; and organisations are now asked to list the versions of browsers, antivirus software, email applications and collaboration / office applications.

It also says that if you are using Windows 10, you must be enrolled in Microsoft’s Extended Security Update programme to remain compliant.

In other words, Cyber Essentials is no longer just a case of saying, “Yes, we patch” or “Yes, we use MFA.” The updated framework expects organisations to know exactly what is in scope, exactly which services are in use, exactly how remote users connect, and exactly whether security controls are applied everywhere they should be.

That is especially important for Cyber Essentials Plus, where those statements can now be tested more rigorously against a live technical audit.

What should businesses do now?

The best preparation is not complicated, but it does need to be thorough.

Start with a real asset and service inventory and confirm every cloud service your users touch. Turn on MFA everywhere it is available. Check that high-risk patching can be evidenced across the whole estate, not just on a few devices. Review any partial scope carefully, because excluded areas now need clearer justification and stronger segregation. And make sure unsupported software, operating systems and firmware are still not quietly sitting in the background waiting to cause a certification failure.

For organisations planning a renewal or a first Cyber Essentials Plus assessment from 27 April 2026, the right time to prepare is now. The businesses that treat this update as a paperwork change will struggle. The ones that treat it as an opportunity to improve visibility and consistency across the whole environment will be in a far stronger position, both for their accreditation and for real-world cyber resilience.

 

Let's Connect.Interested in learning more about our services? Get in touch with us today!
Contact us
Dolphin IT SolutionsHEAD OFFICESpaces, Austen House, Station View
Guildford, Surrey, GU1 4AR
FacebookInstagramyouTubelinkedIn
ISO 9001 CertificationISO 27001 Certification