Upcoming Cyber Essentails Changes 2026
Cyber Essentials Update: What’s Changing in 2026
The Cyber Essentials scheme is built around five core technical controls designed to protect organisations from the most common cyber threats. Each year, the National Cyber Security Centre and IASME review these requirements to ensure they remain relevant. The next update goes live in April 2026, with six months’ notice for organisations to prepare. Cyber Essentials Requirements for IT Infrastructure v3.3 will apply to all assessment accounts created after 27 April 2026.
Key points
- Stronger focus on passwordless authentication and MFA.
- Minor changes to the requirements document.
- Clearer definitions, especially around cloud services.
- Simplified scoping rules.
- Updated guidance for application development.
- Backup guidance moved earlier for emphasis.
What matters most
The most significant update is to the marking criteria: multi-factor authentication (MFA) becomes mandatory wherever available. If a cloud service offers MFA—free or paid, and it is not enabled, the assessment will automatically fail. This change reflects the increasing importance of MFA in preventing account compromise.
The user access control section has been updated to place greater emphasis on passwordless authentication and multi-factor authentication (MFA). Passkeys in particular offer an easier, faster and more secure way to log in and the NCSC would like to see them become the default authentication recommendation.
Definitions have also been tightened. A clear definition of “cloud service” is now included, and cloud services can no longer be excluded from scope. Scoping language has been simplified so any in-scope device connected to the internet is included, regardless of connection type. Applicants excluding networks will need to justify why and explain how segregation is enforced.
The “web applications” section is now “application development” and aligns with the UK Government Software Security Code of Practice. Backup guidance has been moved to highlight its importance.
The full v3.3 requirements will apply from 27 April 2026, with the new question set released by February 2026.
For more on how Cyber Essentails works, please 📧 contact us for more information