Cyber Essentials News 2026

Professional cyber security header image showing secure cloud systems, authentication and business technology protection for Cyber Essentials 2026.

Cyber Essentials News 2026: What UK Businesses Need to Know About the Latest Update

Cyber Essentials has always been one of the most practical cyber security standards for UK organisations. It is not designed to be complicated, overly technical or reserved for large enterprises. Its purpose is simple: help businesses defend themselves against the most common online threats.

But the scheme has changed.

The latest Cyber Essentials update, known as Requirements for IT Infrastructure v3.3, came into force for new assessment accounts created from 27 April 2026. The National Cyber Security Centre’s own Cyber Essentials resources confirm that applications started before 27 April 2026 can continue under the previous v3.2 requirements, while new assessments move to the newer technical requirements.

For small and medium-sized businesses, this is more than a paperwork update. The 2026 changes sharpen the focus on real-world weaknesses that attackers commonly exploit: poor cloud account protection, missing multi-factor authentication, delayed patching, unclear device scope and weak administration practices.

That matters because Cyber Essentials is no longer just a “nice to have” certificate. For many organisations, it affects public sector tendering, supplier approval, cyber insurance conversations and client confidence. GOV.UK describes Cyber Essentials as a government-backed, industry-supported scheme that helps organisations protect themselves against common online threats.

If your business already holds Cyber Essentials, or you plan to apply this year, the latest update deserves proper attention.

What Is Cyber Essentials?

Cyber Essentials is a UK cyber security certification scheme focused on five core technical controls:

  1. Firewalls and internet gateways
  2. Secure configuration
  3. User access control
  4. Malware protection
  5. Security update management

The scheme is intended to reduce exposure to common cyber attacks. It gives businesses a practical baseline for securing laptops, desktops, servers, cloud services, mobile devices, user accounts and internet-facing systems.

There are two certification levels:

Cyber Essentials is a self-assessment certification. The organisation completes a questionnaire confirming that its systems meet the required controls.

Cyber Essentials Plus includes independent technical testing. An assessor verifies that the controls are working in practice.

For many UK businesses, the basic Cyber Essentials certificate is enough to satisfy supplier requirements. For higher-risk environments, larger contracts, regulated supply chains or clients that expect stronger assurance, Cyber Essentials Plus may be more appropriate.

What Is the Main Cyber Essentials News for 2026?

The main Cyber Essentials news for 2026 is the move to Cyber Essentials Requirements for IT Infrastructure v3.3, which applies to new assessment accounts created from 27 April 2026. IASME, which administers the scheme, confirmed that the v3.3 updates apply to assessment accounts created after that date, and applicants then have six months to complete the assessment.

The changes are not a complete rebuild of the scheme. The five core control areas remain the same. What has changed is the level of clarity and strictness around several important areas.

The biggest practical changes affect:

  • Multi-factor authentication for cloud services
  • Security update and patching timescales
  • Cloud service scoping
  • User and administrator account control
  • Handling of unsupported software and devices
  • Evidence and clarity around assessment answers

For businesses that already take cyber security seriously, the update should be manageable. For businesses that have treated Cyber Essentials as a once-a-year form-filling exercise, it may expose gaps that need fixing before renewal.

Why the April 2026 Update Matters

The 2026 update matters because it removes some of the grey areas that previously allowed businesses to pass while still carrying avoidable risks.

The updated NCSC v3.3 technical requirements state that cloud service authentication must use MFA where it is available. IASME’s update is even clearer: multi-factor authentication is now mandatory for all cloud services where available, and organisations that fail to implement MFA for cloud services automatically fail the assessment.

That is a significant shift.

In the past, some organisations viewed MFA as strongly recommended rather than operationally unavoidable. In 2026, that position is no longer safe. If a cloud service supports MFA and your business has not enabled it, that can now become a certification blocker.

This is especially important for businesses using Microsoft 365, Google Workspace, Dropbox, accounting platforms, CRM systems, remote access tools, hosted backup portals, HR systems and cloud-based line-of-business applications.

In other words, Cyber Essentials now reflects how businesses actually work. Modern companies are not just protecting a server in the office. They are protecting identities, cloud accounts, SaaS tools, mobile devices and remote access routes.

Key Change 1: MFA for Cloud Services Is Now Essential

The headline change is multi-factor authentication.

MFA means users must provide more than just a password when signing in. That could be a mobile app prompt, one-time code, hardware security key, passkey or another approved method.

Why is this so important?

Because passwords are frequently stolen, guessed, reused or phished. If an attacker obtains an employee’s password, MFA may be the control that stops them from signing in.

For most UK SMEs, this directly affects services such as:

  • Microsoft 365
  • Google Workspace
  • Dropbox
  • OneDrive
  • SharePoint
  • Xero
  • Sage
  • QuickBooks
  • HubSpot
  • Remote management tools
  • Cloud backup systems
  • Web hosting portals
  • Domain registrar accounts
  • Password managers
  • CRM platforms

This is where many businesses may underestimate the work involved. It is not enough to enable MFA for the main administrator account and assume the business is covered. Cyber Essentials now expects cloud services to be protected where MFA is available.

For Microsoft 365 environments, that usually means reviewing conditional access, security defaults, legacy authentication, shared mailboxes, admin accounts, break-glass accounts and user enrolment.

For smaller businesses, the most practical starting point is simple: make a list of every cloud service the business uses, then confirm whether MFA is enabled for all user accounts.

Key Change 2: Cloud Services Cannot Be Ignored

Cloud services are now much harder to sidestep in the assessment.

This matters because many businesses have moved critical data away from local servers and into cloud services. Email, files, finance systems, HR platforms and customer records often live in cloud systems rather than on office hardware.

Some older security reviews still focus heavily on physical devices and local networks. Cyber Essentials v3.3 makes clear that cloud services are part of the real security picture.

A practical Cyber Essentials review should now include:

  • Microsoft 365 tenant settings
  • Google Workspace settings
  • Cloud storage platforms
  • Cloud backup portals
  • Remote access platforms
  • Hosted CRM systems
  • Accounting software
  • Web hosting and DNS accounts
  • Third-party admin portals
  • Any SaaS product storing business data

The important point is that scope must reflect business reality. If a cloud platform stores, processes or provides access to business data, it needs to be considered properly.

For small businesses, this can feel inconvenient. But from a security point of view, it is exactly where the risk often sits. A compromised Microsoft 365 account, backup portal or domain registrar login can be far more damaging than a single infected laptop.

Key Change 3: Patching Expectations Are Tighter

Security updates remain a central part of Cyber Essentials.

Attackers regularly exploit known vulnerabilities for which fixes already exist. The longer a business delays installing critical updates, the longer it gives attackers an open door.

Recent commentary on the 2026 update highlights the stricter 14-day expectation for high-risk or critical security updates, with businesses needing better processes to track, prioritise and evidence patching across endpoints, servers and cloud services.

For many SMEs, patching problems are not caused by unwillingness. They are caused by lack of process.

Common issues include:

  • Laptops not checking in regularly
  • Staff delaying restarts
  • Old servers running unsupported software
  • Network devices with forgotten firmware updates
  • Third-party applications not included in patch routines
  • Remote workers rarely connecting to management systems
  • No central reporting to confirm update status

Cyber Essentials does not expect businesses to be perfect, but it does expect them to manage updates properly. That includes operating systems, applications, browsers, firewalls, routers and supported firmware.

A business that only updates Windows but ignores browsers, PDF tools, VPN software, firewall firmware and old applications may still be carrying serious risk.

Key Change 4: Unsupported Software Is a Bigger Problem

Unsupported software has always been risky, but the Cyber Essentials assessment process increasingly expects businesses to identify and remove it.

Unsupported software means the vendor no longer provides security updates. Once that happens, vulnerabilities may remain permanently unpatched.

Examples may include:

  • Old versions of Windows
  • End-of-life servers
  • Unsupported Office versions
  • Legacy accounting packages
  • Old firewall firmware
  • Forgotten database systems
  • Abandoned remote access tools
  • Outdated mobile operating systems

The business risk is simple. If a product is unsupported and connected to business systems, it can become a weak link.

For Cyber Essentials preparation, organisations should build a basic asset list. This does not need to be complex at first. Even a spreadsheet showing devices, operating systems, software, users and support status is better than relying on memory.

A good managed IT provider can usually help identify outdated systems before they become a certification issue.

Key Change 5: Admin Accounts Need Cleaner Separation

Cyber Essentials v3.3 reinforces an important security principle: administrator privileges should be controlled carefully.

The NCSC v3.3 requirements state that organisations should use separate accounts for administrative activities only, rather than using admin accounts for standard tasks such as email or web browsing.

This is a sensible real-world control.

If a user browses the web, opens email attachments and carries out everyday work using an administrator account, any compromise of that session can have far greater impact. The attacker may gain elevated permissions immediately.

A stronger approach is to use:

  • Standard accounts for normal daily work
  • Separate admin accounts for technical administration
  • MFA on administrator accounts
  • Stronger monitoring of privileged access
  • Removal of admin rights when no longer needed
  • Named admin accounts rather than shared generic logins

This is particularly important in Microsoft 365, where global administrator accounts can control email, data, security settings, users and access policies.

For most SMEs, cleaning up admin rights is one of the highest-value security improvements available.

What This Means for UK Small Businesses

For UK small businesses, the latest Cyber Essentials update should be seen as a prompt to tighten everyday security rather than panic.

Most of the required controls are sensible and achievable:

  • Turn on MFA
  • Remove unsupported software
  • Keep systems patched
  • Reduce unnecessary admin rights
  • Protect cloud services
  • Maintain basic device records
  • Secure firewalls and routers
  • Use malware protection
  • Apply secure configurations

The difficulty is not usually understanding the controls. The difficulty is proving they are consistently in place.

That is why businesses should not leave Cyber Essentials preparation until the assessment is due. A rushed approach often reveals last-minute issues: one old laptop, one unmanaged cloud service, one forgotten admin account, one unsupported application or one firewall that has not been updated for years.

A better approach is to treat Cyber Essentials as an ongoing security baseline.

Cyber Essentials and Public Sector Contracts

Cyber Essentials is especially important for organisations that work with, or want to work with, the public sector.

For suppliers handling certain types of sensitive government information, Cyber Essentials can be mandatory. The 2026 update has attracted attention because an organisation that fails to meet the updated MFA and cloud requirements may put certification-dependent work at risk. Recent reporting has specifically highlighted the risk to public sector contracts where organisations do not enable MFA across cloud services.

Even outside government work, Cyber Essentials can support supplier assurance. Many larger companies now ask smaller suppliers to demonstrate basic cyber security controls before giving access to data, systems or contracts.

In that sense, Cyber Essentials is not just a technical badge. It is a commercial trust signal.

For a small business, certification can help answer a client’s unspoken question:

“Can we trust you with our data?”

Cyber Essentials and Cyber Insurance

Cyber insurance providers increasingly look at whether businesses have basic cyber controls in place.

Cyber Essentials does not guarantee insurance approval, and it does not replace a proper insurance review. However, it can support risk conversations by demonstrating that the business has implemented a recognised baseline of technical controls.

For many SMEs, this is valuable because insurers are becoming more interested in practical security posture. They may ask about MFA, backups, endpoint protection, patching, incident response and administrative controls.

Cyber Essentials helps bring those controls into a structured framework.

Common Reasons Businesses Fail Cyber Essentials

The most common Cyber Essentials problems are often straightforward.

Businesses usually struggle because of overlooked basics rather than advanced cyber threats.

Common failure points include:

  • MFA not enabled on cloud services
  • Old user accounts still active
  • Former staff accounts not disabled
  • Unsupported operating systems
  • Unsupported applications
  • Weak or inconsistent patching
  • Unclear device ownership
  • Personal devices accessing business data without controls
  • Router or firewall firmware not updated
  • Unnecessary administrator privileges
  • Missing malware protection
  • Cloud systems left out of scope
  • Poor password practices
  • Shared admin accounts

These are all fixable. The key is identifying them before the assessment begins.

A Practical Cyber Essentials Preparation Checklist

Before applying or renewing, UK businesses should review the following areas.

1. List Your Devices

Include:

  • Desktop PCs
  • Laptops
  • Servers
  • Mobile phones
  • Tablets
  • Firewalls
  • Routers
  • Network equipment
  • Remote worker devices

Make sure the list includes operating system versions and whether each device is still supported.

2. Review Your Cloud Services

List every cloud platform used by the business, including:

  • Email
  • File storage
  • Accounting
  • CRM
  • HR
  • Backup
  • Remote access
  • Password management
  • Hosting
  • Domain management

Check whether MFA is available and enabled.

3. Check User Accounts

Review:

  • Current users
  • Former staff accounts
  • Shared accounts
  • Administrator accounts
  • External consultant accounts
  • Guest accounts
  • Service accounts

Disable anything no longer needed.

4. Confirm MFA Coverage

MFA should be enabled wherever available, especially for:

  • Email
  • Microsoft 365 or Google Workspace
  • Cloud storage
  • Admin portals
  • Remote access
  • Financial systems
  • Backup platforms
  • Domain registrar accounts

Do not assume MFA is active. Check it.

5. Check Patching

Review whether updates are applied quickly enough across:

  • Windows or macOS
  • Servers
  • Browsers
  • Office applications
  • PDF readers
  • Remote access tools
  • Firewall firmware
  • Router firmware
  • Line-of-business software

Record how updates are managed.

6. Remove Unsupported Software

Identify anything that is end-of-life or no longer receiving security updates.

Plan replacement or isolation before assessment.

7. Reduce Admin Rights

Users should not have administrator rights unless there is a business need.

Admin accounts should be separate, protected and used only for administration.

8. Check Malware Protection

Ensure all relevant devices have active malware protection and that it is updating correctly.

9. Secure Firewalls and Routers

Check:

  • Default passwords have been changed
  • Unnecessary inbound ports are closed
  • Firmware is supported
  • Remote admin access is controlled
  • Firewall rules are documented

10. Prepare Evidence

Keep records of:

  • Device inventory
  • User account reviews
  • MFA status
  • Patch reports
  • Security policies
  • Admin account controls
  • Software support status

This makes the assessment smoother and reduces uncertainty.

How Fox Technologies Can Help

Cyber Essentials is designed to be accessible, but many businesses still benefit from guidance before they apply.

Fox Technologies can help UK businesses prepare by reviewing the practical areas that commonly cause problems, including Microsoft 365 security, MFA rollout, device patching, user access, admin rights, firewall configuration, cloud service scope and endpoint protection.

This is especially useful if your business:

  • Has not reviewed Cyber Essentials for a while
  • Uses Microsoft 365 heavily
  • Has remote or hybrid workers
  • Uses multiple cloud platforms
  • Has grown quickly
  • Has old devices or legacy software
  • Needs certification for tenders
  • Wants Cyber Essentials Plus readiness
  • Is unsure what should be included in scope

You can learn more about Fox Technologies at https://foxtechnologies.co.uk or contact the team directly at https://foxtechnologies.co.uk/contact.

Suggested Internal Links

Suggested External Links

  • NCSC Cyber Essentials resources
  • GOV.UK Cyber Essentials scheme overview
  • IASME Cyber Essentials update articles

Suggested FAQ Section

What changed in Cyber Essentials in 2026?

Cyber Essentials moved to Requirements for IT Infrastructure v3.3 for new assessment accounts created from 27 April 2026. The update tightens requirements around cloud services, MFA, patching, scope, user access and administrator controls.

Is MFA now required for Cyber Essentials?

Yes. For cloud services, MFA must be implemented where it is available. IASME confirms that organisations that fail to implement MFA for available cloud services will automatically fail the assessment.

Do cloud services count in Cyber Essentials?

Yes. Cloud services are now a key part of Cyber Essentials scope. Businesses should review email, file storage, CRM, finance, backup, hosting, domain and remote access platforms.

Is Cyber Essentials only for large businesses?

No. Cyber Essentials is designed for organisations of all sizes. It is particularly useful for SMEs because it provides a practical baseline against common cyber threats.

What is the difference between Cyber Essentials and Cyber Essentials Plus?

Cyber Essentials is a self-assessment certification. Cyber Essentials Plus includes independent technical testing to verify that controls are working in practice.

Should I prepare before starting the Cyber Essentials assessment?

Yes. Businesses should review MFA, patching, cloud services, unsupported software, admin rights and device scope before starting. Preparation reduces the risk of delays or assessment failure.

The latest Cyber Essentials update is not just compliance news. It is a reminder that cyber security has moved into the cloud, into identities and into everyday business systems.

For UK businesses, the message is clear: protect cloud accounts with MFA, patch quickly, know what systems you use, remove unnecessary access and stop treating cyber security as an annual form.

Cyber Essentials remains one of the clearest and most achievable ways to improve business security. The 2026 update simply raises the expectation that those controls are genuinely in place — not just assumed.

For businesses that act now, the update is an opportunity. It strengthens security, supports tender readiness, improves client confidence and reduces the chance that one overlooked cloud account becomes the way in.

Share
Categories:Cyber Attacks | GDPR | General Data Protection Regulation (GDPR) | Hacking | Innovations | Virus & Malware

Have questions or need assistance? We’re here to help. Contact us today to explore solutions tailored to your needs and goals!

Explore
More Contacts Details
  • 0113 2872105: Main office (Sales)
  • 0113 8878230: Support
  • 0142 3396620: Harrogate
  • support@foxtechnologies.co.uk
  • accounts@foxtechnologies.co.uk
  • sales@foxtechnologies.co.uk
Call Now