If your organisation relies on Cyber Essentials or Cyber Essentials Plus, there is an important update you absolutely need to be aware of.
As of 28 April 2026, IASME has introduced the most significant changes to the Cyber Essentials scheme in several years. While the five core technical controls remain the same, the way compliance is assessed has tightened considerably, with far less room for interpretation or “paper compliance”.
In short – Cyber Essentials is no longer about ticking boxes on the day. It is now much more focused on real, ongoing security.
Here is what has changed, and what it means for you.
1. Much stricter MFA requirements
Multi-Factor Authentication (MFA) has been part of Cyber Essentials for some time, but the rules have now hardened.
- MFA is mandatory for all cloud services where it is available
- This applies to all users, not just administrators
- If MFA is available but not enabled, it is an automatic fail
That includes services like Microsoft 365, Google Workspace, CRMs, finance platforms and any other system storing or processing business data.
This change removes any ambiguity – passwords alone are no longer acceptable.
2. A much tighter and clearer scope
Historically, Cyber Essentials scope could sometimes be narrowed in ways that did not reflect reality. That gap has now been closed.
Key changes include:
- Cloud services cannot be excluded from scope
- All internet-connected systems handling organisational data must be included unless there is a clear, justified reason
- Assessors expect explicit, written explanations – vague scoping will no longer pass
The intention is simple: if your data lives there, it counts.
3. A shift away from point-in-time compliance
One of the biggest philosophical changes is the move away from “secure on the day”.
IASME and the NCSC are clearly targeting behaviours such as:
- Last-minute patching just before assessment
- Selective compliance during audits
- Controls that exist on paper but not in practice
Cyber Essentials is now expected to represent a consistently maintained baseline, not just a snapshot.
This is especially relevant for patch management and vulnerability remediation.
4. Cyber Essentials Plus is now much tougher
If you certify against Cyber Essentials Plus, the bar has been raised again.
Key changes include:
- More rigorous vulnerability scanning
- Less tolerance for partially patched or inconsistently configured devices
- Re-testing is no longer limited to previously failing systems
CE+ is now a far closer reflection of real-world security posture – which is exactly why buyers and supply chains value it.
Read the IASME update here:
IASME CE+ assessment methodology update: https://iasme.co.uk/articles/important-update-changes-to-cyber-essentials-for-april-2026/
What this means for your organisation
These changes are not designed to “trip businesses up”. They are designed to ensure that Cyber Essentials remains a credible, trusted standard.
However, they do mean that:
- Weak MFA implementations will fail
- Overly narrow scoping will be challenged
- Poor patching discipline will not pass
- CE+ audits will find issues that previously slipped through
If your current certification approach relies on quick fixes before renewal, it may no longer be enough.
How Core Team One can help
At Core Team One, we help customers build IT systems that comply with Cyber Essentials properly, not just pass it.
That means:
- Designing MFA correctly across all cloud services
- Defining scope that stands up to scrutiny
- Implementing repeatable patching and vulnerability processes
- Preparing properly for Cyber Essentials Plus audits
If you are due to renew – or you want confidence that your certification will survive these changes – now is the right time to review your setup.
👉 Talk to us before your next assessment, not after it fails.
