The NCSC’s Cyber Essentials scheme is getting a substantial update in April 2026. Of course, the core principles will remain the same, but there are some practical elements that will change the reality of achieving or renewing your Cyber Essentials Plus certification.
Don’t worry, there’s nothing radical about these updates, there won’t be any new security concepts. The goal with this update is to remove ambiguity, tighten enforcement, and make Cyber Essentials Plus (CE+) a much more hands-on, thorough assessment to protect your organisation from digital threats.
Historically, the Cyber Essentials (CE) scheme has allowed for a degree of interpretation. Organisations could sometimes meet the general ‘spirit’ of the controls without fully enforcing them everywhere. With the update, that is no longer the case.
The updated scheme makes it much clearer exactly what is required to meet the standards, and CE+ will increasingly test whether those controls are working in the real world.
One of the biggest changes is how multi-factor authentication (MFA) is treated. From 27 April 2026:
Multi-factor authentication is an effective additional layer of security that is increasingly common with modern cloud services, including Microsoft 365, Google Workspace, CRM systems and other remote access systems. It significantly reduces risk of unauthorised access, even if passwords are compromised.
In practice, this means organisations must audit every internet-accessible service in use. Any service where MFA is available but not enforced will result in an automatic failure.
The updated user access control section also recognises passwordless authentication methods such as passkeys, biometrics and hardware tokens as valid and encouraged approaches.
To reduce exploit windows, the official standards now designate two security update questions as automatic failures if not met:
You must evidence that you install software/hardware updates within 14 days, and a failure to meet either question results in a failed assessment, even if all other controls are satisfied.
There will be no uncertainty about cloud responsibility: relying on the third-party cloud provider’s baseline security is no longer sufficient. Organisations are expected to secure:
In practice that means you will need to demonstrate that your organisation has configured its cloud services securely, not just that the provider is reputable.
Importantly, the updated standard now formally defines a cloud service as an on-demand, scalable service hosted on shared infrastructure, accessible via the internet, and used to store or process organisational data. Such services cannot be excluded from scope.
The section previously referred to as ‘Web Applications’ has now been renamed ‘Application Development’ and aligns with the UK Government Software Security Code of Practice. Publicly accessible commercial web applications are in scope by default, reinforcing the expectation that secure development practices are embedded into internet-facing systems.
Any device, system, or service that connects to the internet is in scope by default and any exclusions must be technically justified and clearly segregated. This includes:
The updated requirements also remove previously ambiguous terms such as ‘untrusted’ and ‘user-initiated’ to reduce inconsistent interpretations of what must be included in scope.
In practice, that means you will need a clearer asset inventory and stronger justification for anything declared out of scope. For CE+, assessors are more likely to challenge assumptions. In short: If you can’t clearly explain why something is excluded, expect it to be included.
The updated scheme also introduces clearer requirements around what a certificate represents. Organisations must describe excluded infrastructure and legal entities included in scope, and may include more detailed scope descriptions on certificates. Where required, individual certificates can be issued per legal entity within a wider group structure.
CE will remain as a self-assessment, but CE+ is skewing further towards hands-on technical verification and away from policy-based assurance, incorporating:
The key point is that controls need to actually exist, they must be correctly configured, and they must be demonstrably effective.
What you declare in the CE self-assessment and what is tested during the CE+ audit must align. That means you can expect to provide:
This is a more subtle change, but any mismatch between paperwork and reality increases the risk of delays or failure.
CE+ certification now rewards preparation. Based on both the updated guidance and assessor commentary, organisations that succeed treat CE+ as a project, not a single assessment day, including:
Another change is that backup guidance has been repositioned within the requirements to emphasise its importance in recovery and resilience following a cyber incident.
Cyber Essentials still provides a valuable baseline. But the difference between CE and CE+ is becoming more pronounced. For organisations working with government, regulated industries and sensitive supply chains, Cyber Essentials Plus is increasingly seen as a strong signal of operational security maturity.
From 27 April 2026, organisations certifying or renewing CE+ must:
IASME has also clarified that certification represents a “point in time” at the date of certificate issue, meaning all systems must be supported and compliant on that specific date.
As CE+ becomes more technical, preparation matters more than ever.
PGI supports you to identify gaps, strengthen controls, and evidence compliance, ensuring you’re ready for certification under the 2026 requirements.
Our services are delivered by experts who understand how assessments are carried out in practice, and include Cyber Essentials gap analysis, MFA and identity implementation, cloud security reviews, and full certification support.
Ready to get started? Let’s talk.
Every business should have a Cyber Incident Response Plan (CIRP). Every business that handles sensitive data, operates under regulatory requirements, or wants to protect its reputation needs one.
The UK Ministry of Defence (MoD) has introduced the new Defence Cyber Certification (DCC) scheme: a security framework for suppliers in the defence supply chain, designed to enhance overall resilience against cyber threat.
PGI has officially been recognised as an Assured Cyber Advisor by the UK’s most trusted cyber security body, the National Cyber Security Centre (NCSC).
