Changes are coming to the Cyber Essentials scheme from April 2026. This year's update puts more focus on three areas that often cause problems when trying to get certified: cloud applications, authentication on cloud services, and patching. If these are not in order, your CE application is more likely to run into problems, with stricter marking criteria from the assessors. Key changes include:
☑️ Cloud services are explicitly in scope. If your organisation’s data or services are hosted on cloud platforms, those services must be in scope and cannot be excluded from certification.
☑️ MFA on cloud services can trigger an automatic fail. Where MFA is available for a cloud service but not implemented, this is treated as an automatic fail in the question set.
☑️ 14-day patching is tied to auto-fail questions. The requirements to install high-risk or critical security updates within 14 days still applies, but are now treated as automatic fail questions if you are not doing this.
☑️ Partial scope needs clearer evidence. Partial scope certification is still allowed, but organisations must clearly justify the scope and show that excluded systems are properly segregated.
Most of these changes clarify and tighten up existing requirements. 4Cambridge helps organisations successfully through their Cyber Essentials application process. If you need help getting your systems aligned, then get in touch.
