The NCSC’s Cyber Essentials scheme is getting a substantial update in April 2026. Of course, the core principles will remain the same, but there are some practical elements that will change the reality of achieving or renewing your Cyber Essentials Plus certification.
Don’t worry, there’s nothing radical about these updates, there won’t be any new security concepts. The goal with this update is to remove ambiguity, tighten enforcement, and make Cyber Essentials Plus (CE+) a much more hands-on, thorough assessment to protect your organisation from digital threats.
Historically, the Cyber Essentials (CE) scheme has allowed for a degree of interpretation. Organisations could sometimes meet the general ‘spirit’ of the controls without fully enforcing them everywhere. With the update, that is no longer the case.
The updated scheme makes it much clearer exactly what is required to meet the standards, and CE+ will increasingly test whether those controls are working in the real world.
One of the biggest changes is how multi-factor authentication (MFA) is treated. From 27 April 2026:
Multi-factor authentication is an effective additional layer of security that is increasingly common with modern cloud services, including Microsoft 365, Google Workspace, CRM systems and other remote access systems. It significantly reduces risk of unauthorised access, even if passwords are compromised.
In practice, this means organisations must audit every internet-accessible service in use. Any service where MFA is available but not enforced becomes a potential automatic failure, especially under CE+.
There will now be no uncertainty about cloud responsibility: relying on the third-party cloud provider’s baseline security is no longer sufficient. Organisations are expected to secure:
In practice that means you will need to demonstrate that your organisation has configured its cloud services securely, not just that the provider is reputable.
Any device, system, or service that connects to the internet is in scope by default and any exclusions must be technically justified and clearly segregated. This includes:
In practice, that means you will need a clearer asset inventory and stronger justification for anything declared out of scope. For CE+, assessors are more likely to challenge assumptions. In short: If you can’t clearly explain why something is excluded, expect it to be included.
CE will remain as a self-assessment, but CE+ is skewing further towards hands-on technical verification and away from policy-based assurance, incorporating:
The key point is that controls need to actually exist, they must be correctly configured, and they must be demonstrably effective.
What you declare in the CE self-assessment and what is tested during the CE+ audit must align. That means you can expect to provide:
This is a more subtle change, but any mismatch between paperwork and reality increases the risk of delays or failure.
CE+ certification now rewards preparation. Based on both the updated guidance and assessor commentary, organisations that succeed treat CE+ as a project, not a single assessment day, including:
Cyber Essentials still provides a valuable baseline. But the difference between CE and CE+ is becoming more pronounced. For organisations working with government, regulated industries and sensitive supply chains, Cyber Essentials Plus is increasingly seen as the true signal of operational security maturity.
From 27 April 2026, organisations certifying or renewing CE+ must:
As CE+ becomes more technical, preparation matters more than ever.
PGI supports you to identify gaps, strengthen controls, and evidence compliance, ensuring you’re ready for certification under the 2026 requirements.
Our services are delivered by experts who understand how assessments are carried out in practice, and include Cyber Essentials gap analysis, MFA and identity implementation, cloud security reviews, and full certification support.
Ready to get started? Let’s talk.
The UK Ministry of Defence (MoD) has introduced the new Defence Cyber Certification (DCC) scheme: a security framework for suppliers in the defence supply chain, designed to enhance overall resilience against cyber threat.
PGI has officially been recognised as an Assured Cyber Advisor by the UK’s most trusted cyber security body, the National Cyber Security Centre (NCSC).
“The question is not whether AI will influence international peace and security, but how we will shape that influence.
