From 27th April 2026, Cyber Essentials is getting an update.
On paper, it might look like a routine refresh. In reality, it’s a bit of a shift in how strict the scheme is becoming, especially for businesses that have been treating it as a once-a-year checkbox exercise.
If you’re planning to renew your certification next year, this is worth paying attention to now rather than later.
The big one: MFA is no longer optional (at all)
Multi-factor authentication (MFA) has been “strongly recommended” for a while now but from April 2026, that changes.
If MFA is available on a system, it has to be turned on. No exceptions. Even if there’s a cost attached.
And if it isn’t enabled? That’s an automatic fail.
We’re still seeing businesses with partial MFA coverage, maybe it’s on Microsoft 365 but not on other platforms or only enabled for some users.
That kind of setup won’t pass under the new rules.
The 14-day patching rule is going to catch people out
This is another one that sounds simple but will trip people up.
All critical or high-risk updates now need to be applied within 14 days. That includes operating systems, apps, firewalls… everything.
Miss that window, and again, it’s a fail.
In reality, a lot of businesses don’t have tight control over patching. Updates get delayed, devices get missed, or things rely too heavily on manual processes.
That approach is going to become a problem.
Scope is getting more… serious
Cyber Essentials has always required you to define what’s in scope but the 2026 update tightens this up.
You’ll need to be much clearer about:
- what’s included
- what’s excluded (and why)
- which legal entities are covered
There’s also more flexibility for group structures but with that comes more scrutiny.
In short, you can’t be vague anymore.
Cyber Essentials Plus: less room for mistakes
If you’re going for Cyber Essentials Plus, the process is becoming less forgiving.
If devices fail because they’re missing updates, they’ll be retested after you fix them. Sounds fair enough, but you also won’t be able to tweak your self-assessment answers once testing has started.
So, whatever you submit needs to be right first time.
There’s also more accountability at the top
One subtle but important change: compliance has to be in place at the point your certificate is issued, and directors are expected to formally take responsibility for maintaining it.
That’s a shift away from “we passed, job done” towards ongoing accountability.
So, what should you actually do?
The main takeaway is this: leaving everything until your renewal date is going to be risky.
The businesses that will struggle most are the ones that:
- haven’t fully rolled out MFA
- don’t have a reliable patching process
- aren’t clear on their scope
The ones that start preparing now? They’ll be fine.
If you’re planning to renew Cyber Essentials in 2026, now’s the time to get ahead of it.
At Freestyle TS, we’re already helping businesses review their MFA, patching, and scope ahead of the changes, so there are no surprises later on.
Feel free to get in touch if you want a quick readiness check.
