2026: April Scheduled Update
Cyber Essentials latest update
IASME and the National Cyber Security Centre (NCSC) have confirmed the next scheduled update to the Cyber Essentials requirements. The updated Requirements for IT Infrastructure v3.3 will take effect from 27th April 2026.
Organisations starting a Cyber Essentials assessment after this date will follow the new version. Assessments created before this cut-off will continue under the existing requirements, with up to six months to complete.
This annual review focuses on improving clarity and consistency within the standard. It should be noted that the changes between the previous ‘Willow’ questions and the newly titled ‘Danzell’ questions are more significant compared with earlier scheme updates.
There are key changes to the requirements for organisations seeking to certify at both Cyber Essentials and Cyber Essentials Plus level. Most updates refine definitions and scope rather than introduce new technical controls. However, some changes will be important for organisations preparing for certification.
For full details, see the official announcement on the IASME website.
Summary of key changes
- Stronger MFA expectations: Multi-factor authentication (MFA) remains a core control. Under the updated marking criteria, where a cloud service supports MFA, it must be enabled. If available MFA options are not implemented, the assessment is likely to result in a failure. This change reinforces the importance of MFA in protecting systems and organisational data.
- Cloud services defined and included in scope: The standard now includes a clear definition of what constitutes a cloud service. Any cloud-hosted tools or platforms used to store or process organisational data must be included within scope and cannot be excluded.
- Simplified scope criteria: Language relating to internet connections has been clarified so that any device capable of connecting to the internet – whether through inbound or outbound connections – falls within scope. Where parts of an organisation are excluded from scope, applicants must clearly explain what has been excluded, why it has been excluded, and how it has been segregated from the rest of the network infrastructure.
- Updated application development guidance: The former ‘web applications’ section has been renamed Application Development and now references the UK Government’s Software Security Code of Practice. Commercially available web applications are in scope by default, while bespoke internal components are treated separately.
- Greater emphasis on backups: Guidance on backups has been repositioned earlier in the requirements document to highlight their importance in supporting recovery following a cyber incident.
- Updated user access control guidance: The user access control section places increased emphasis on modern authentication methods, particularly passwordless approaches such as passkeys and FIDO2 authenticators. These technologies provide secure alternatives to traditional passwords and are recognised as best practice.
What This Means for Organisations
The April 2026 update is designed to remove ambiguity and strengthen the implementation of the core technical controls. Most businesses should find alignment straightforward. However, the revised approach to MFA assessment, particularly across cloud services, may require review to ensure full compliance.
To prepare for the updated requirements, organisations should review their authentication controls, cloud service usage, and how their infrastructure is scoped.
What are the differences between Cyber Essentials before April 2026 and after the April 2026 update?
We are closely monitoring the April 2026 Cyber Essentials update and supporting organisations in understanding exactly what is changing and how it may affect their certification.
| Area | Before April 2026 | From April 2026 (Version 3.3) | What This May Mean for You |
|---|---|---|---|
| Sample remediation requirements (CE Plus level only) | An initial random sample set was selected e.g. 10 PC devices, based on the IASME sampling requirement. The sample was tested and iteratively remediated until compliance was achieved. | An initial random sample set is selected; however, if remediations are required on the initial samples, instead of demonstrating remediation of those already selected devices, a new random sample of additional devices must be selected to demonstrate remediation of any issues. | This increases the importance of having staff available at relatively short notice throughout the assessment and quick coordination in remediating issues found (particularly where 3rd party IT support is involved). |
| 14-day critical updates marking | The requirement to install high or critical risk updates was a non-compliance, not leading to an auto-fail. | The requirement for organisations to update has become a failing issue. High-risk or critical security updates for operating systems, router and firewall firmware, and applications must be installed within 14 days of release. | This requires organisations to keep all software updated and to provide assessors with evidence (CE+). |
| No changes are allowed to the CE report | Changes could be made if a client had changed the CE basic certificate. If something was incorrectly stated (e.g. MFA), it could be amended. | No changes can be made to the CE basic certificate or report during the CE+ process. |
This increases the need for organisations to be aware of all infrastructure, devices, versions etc. This will lead to clients needing to redo the CE basic to correct answers, rather than a CE plus assessor retrospectively updating the report. |
| Multi-Factor Authentication (MFA) | MFA was required, but ambiguity existed around cloud services where MFA was available but not enabled. | If MFA is available on a cloud service (free or paid), it must be enabled. Not enabling it results in automatic failure. | You will need to ensure MFA is switched on across all cloud systems (e.g. email, file storage, CRM). If it is available and not activated, you will fail the assessment. |
| Cloud Services – Definition | Cloud services were not clearly defined in the requirements. | Cloud services are clearly defined as services accessed over the internet that store or process organisational data. | There is less room for interpretation. Systems like Microsoft 365, Google Workspace, cloud accounting platforms and CRMs clearly fall within scope. |
| Cloud Services – Scope | Some organisations interpreted scope in ways that excluded certain cloud services. | Cloud services storing or processing organisational data must be included in scope and cannot be excluded. | You can no longer leave key cloud systems out of your assessment. Expect your assessor to require them to be included. |
| Scoping Clarity | Terms such as “untrusted” and “user-initiated” allowed flexibility in defining scope. | Terminology has been clarified. Devices and services connected to the internet handling organisational data are expected to be included unless properly segregated. | If a device or system connects to the internet and is used for business purposes, it will likely need to be included. Clear network segregation becomes more important if exclusions are claimed. |
| Backups | Backup requirements were included but positioned later in the documentation. | Backup guidance has been moved earlier to emphasise its importance. | Greater emphasis on demonstrating recoverability from ransomware or data loss. Backups should be configured and regularly tested. |
| Application / Web Security Section | The requirements referred to web applications. | The section has been reframed as Application Development, aligning more clearly with secure development principles. | If your business develops software or web applications, you may need clearer evidence of secure development practices. |
| Assessment Version Change | Organisations are assessed against the version in place when their assessment account is created. | Assessments created on or after 27 April 2026 will use Version 3.3. Earlier accounts can be completed under the previous version within six months. | If you want to certify under the current rules, you must create your assessment account before 27 April 2026. After that, the new rules apply. |
2025: Terminology Update
Willow Question Set, Expanded Clarifications and Enhanced Security Protocols
IASME and NCSC have announced a new ‘Willow’ question set and related documentation (Requirements for IT Infrastructure v3.2), which took effect for all Cyber Essentials applications started on or after 28 April 2025.
This update introduces minor clarifications primarily focused on definitions, alongside enhancements to security protocols.
The update includes changes relating to:
- Terminology: ‘Plugins’ are now called ‘extensions’, to align with industry usage and reduce ambiguity.
- Remote work: The definition of ‘remote working’ now explicitly includes work from locations such as cafes, hotels, and public transport, and not just home offices.
- Passwordless authentication: The scheme now accepts modern passwordless authentication methods, such as biometrics, security keys, and one-time codes, alongside traditional multi-factor authentication.
- Vulnerability fixes: The terminology has broadened from ‘patches and updates’ to ‘vulnerability fixes’, encompassing a wider range of approved methods for addressing security issues, including non-patch technical measures like configuration changes or scripts.
- Improved clarity: Various questions and guidance materials have been refined to help applicants understand and meet the requirements more effectively.
- Security alignment: The Cyber Essentials scheme continues its annual review cycle to remain relevant to modern and evolving cyber threats.
2024: Minor Clarifications
Incremental Clarifications Strengthened Cyber Essentials
Cyber Essentials updates in 2024 focused on minor clarifications and improvements to guidance. New resources, including the Cyber Essentials Knowledge Hub, were introduced to provide more sector-specific advice and support to applicants and certification bodies.
Subtle refinements in documentation language made the application process clearer and more accessible, while all core technical controls and requirements remained unchanged.
2023: Streamlining Security Compliance
Introduction of the Montpellier Question Set and Targeted Clarifications
The Cyber Essentials scheme launched the new ‘Montpellier’ question set and several important clarifications to streamline security compliance for UK organisations. The update replaced the previous ‘Evendine’ question set and was effective on April 24th 2023.
Key changes include:
- Simplified device documentation: For assessment purposes, applicants only needed to declare the make and operating system of user devices in scope, and listing the model was no longer necessary (excluding network devices).
- Firmware scope refined: The definition of ‘firmware’ was clarified. Only the firmware of firewalls and routers were in scope for update requirements, rather than all device firmware.
- Third-party device handling: New guidance and a table clarified how to treat third-party devices (for example, those owned by contractors) within the assessment and scope.
- Device locking flexibility: If a device’s default settings for lockout after failed login were unchangeable, applicants could accept the manufacturer’s default for more practical device management.
- Anti-malware flexibility: Anti-malware protections no longer need to be signature-based, and guidance covers protections for each device category. Sandboxing was no longer an option.
- Zero Trust guidance added: The update introduced guidance on Zero Trust Architecture and asset management, supporting the move towards stronger security frameworks.
- Language and structure update: The requirements document had a style and language refresh, and technical controls were reordered to match the self-assessment structure.
- Cyber Essentials Plus: The Illustrative Test Specification was updated to align with the changes, with a focus on refreshed malware protection tests for simplicity.
2022: Significant Update
Cyber Essentials certification – a guide to the 2022 update
Cyber Essentials and Cyber Essentials Plus changed in 2022. New infrastructure requirements and amendments to technical controls announced by the National Cyber Security Centre (NCSC) came into force on January 24, 2022. If your business required Cyber Essentials certification, you needed to know what the 2022 update meant and how it affected certification.
It was essential information for any organisation looking to become certified or work as a supplier to organisations such as the Ministry of Defence (MoD) and the National Health Service (NHS).
What was the Cyber Essentials 2022 update?
The new Cyber Essentials question set – known as Evendine – launched on January 24, 2022. It was the most significant change to the standard since it was introduced. While new question sets had been released previously, there had been very few changes to the scheme requirements themselves. With the Evendine release, there were significant changes to the scope requirements and the controls that needed to be applied to the devices within that scope.
The changes were designed to modernise the scheme and take into account key technology trends and infrastructure changes that had become commonplace. Trends such as a move to greater home working and Bring Your Own Device (BYOD) were now part of the scheme.
The 2022 update included changes to Cyber Essentials relating to:
- Cloud-based services such as Software as a Service (SaaS)
- Passwords and two-factor authentication
- Device declaration and BYOD
- Thin clients
- Homeworkers
- Routers and firewalls
The Cyber Essentials standard was constantly evolving, and usually, there were annual updates to the question set. The reason behind these updates was that the threat landscape was continually evolving, too, and attacks that had been successfully thwarted in previous years might well have moved on in sophistication and delivery, ensuring success for criminals.
Cloud service changes
The Evendine update introduced significant changes to what must be included in scope, with the most noticeable being the inclusion of all cloud services. From the introduction of Evendine, all cloud services were required to be within the scope of Cyber Essentials.
Infrastructure as a Service (IaaS): was already in scope with Cyber Essentials and covered on-demand IT services such as storage and computing.
Software as a Service (SaaS): previously regarded as out of scope, it now includes on-demand software services such as cloud-hosted business applications.
Platform as a Service (PaaS): had been a grey area that generally required careful consideration as to whether the service should be in scope or not, and covered development and deployment platforms in the cloud, such as database management.
It was now impossible to certify only the cloud elements of the business or servers. The NCSC and IASME clarified that end-user devices must also be in scope.
The 2022 update meant that:
- It was no longer acceptable to descope all end-user devices.
- It was not possible to descope cloud services used by the organisation.
- All devices, software, and firmware in scope (including BYOD) had to be supported, with all controls applied.
Password requirement changes
There were also changes to passwords and 2-factor authentication (2FA) requirements.
From January 2024, all administrative users of cloud services had to have multi-factor authentication (MFA) applied, and all standard user accounts needed MFA when certifying in 2023.
In the meantime, user accounts needed either 12-character passwords or 8-character passwords when there was a technical control to deny bad passwords.
The NCSC requirements document described the new password controls as:
- Workers had to be educated on how to avoid common or discoverable passwords, such as a pet’s name, common keyboard patterns, or passwords they had used elsewhere. This could have included teaching people to use the password generator feature built into some password managers.
- Encouraging people to choose longer passwords. This could have been done by promoting the use of multiple words (a minimum of three) to create a password (e.g., ‘Three Random Words’).
- Providing usable secure storage for passwords (for example, a password manager or secure locked cabinet) with clear information about how and when it could be used.
- Not enforcing regular password expiry and not enforcing password complexity requirements.
- There had to be an established process to change passwords promptly if the applicant knew or suspected the password or account had been compromised.
Requirements to declare devices and BYOD
Servers and end-user device quantities had to be declared, and a change was that the make and model of the device, as well as the operating system, had to be declared. A common fault causing assessments to be sent back was that both edition and version numbers were required.
It was recommended to maintain an up-to-date asset register, which had to include BYOD devices, to provide the required information.
As tracking BYOD devices could be complex, it was suggested to have a process for “on-boarding” a BYOD device so that the owner/make/model/OS could be documented whenever a staff member wished to use their own device to connect to company data.
Staff also needed to be prepared for the possibility that, if they chose to use a BYOD device, the device might need to be tested during Cyber Essentials Plus auditing, which should have been covered through employment contracts or internal policy. The recommendation was to cover this off with HR to ensure adequate coverage for BYOD.
All BYOD devices that accessed business data – including emails and cloud services – had to be regarded as being in scope and had to be fully declared. They also needed to have all the controls applied to them in the same way a corporate device would have.
If mobile devices were only being used to access a virtual desktop infrastructure (VDI) solution, this brought the device into scope in the same way as if it could access corporate emails.
If BYOD devices were only used for voice calls, SMS text messages, or as a platform to receive 2-factor authentication codes, then this did not bring them into scope.
It was necessary to assess whether BYOD devices were essential to the business.
Unless BYOD was treated in the same way as corporate mobiles, where all updates had to be applied, a minimum 6-character pin applied (with rate limiting and lockout in place), and the device was not jailbroken or rooted, then it was possible to fail Cyber Essentials and/or Cyber Essentials Plus.
Cyber Essentials 2022 – thin clients
From 2023, all thin clients needed to be in support and receive security updates. The Evendine question set included questions around thin client use.
Clarification around remote (home) workers
There was clarification around organisations that employed home workers. If the home network used an ISP-provided router, this was seen as being out of scope. Should the organisation have provided a router for the home worker, then this was in scope.
Homeworker computers had to have the software firewall active on the device. If this was in place, then home networks were out of scope. In the interests of best practice, it was suggested to set the public firewall profile to deny all incoming traffic.
Routers and firewalls requirements
These had to have a minimum of an 8-character password and either 2FA in place or limit the login to internal addresses or a select few external whitelisted IP addresses.
This was also tested as part of Cyber Essentials Plus.
There were also some significant changes to the Cyber Essentials Plus testing and auditing process.
What did the changes to Cyber Essentials Plus 2022 mean for an assessor?
Cyber Essentials Plus Assessors saw many organisations fail the standard due to insufficient patching of operating systems and applications. Applying security updates within the mandated 14-day period presented a challenge to some organisations, and the changes only resulted in the bar being raised.
The reason behind this was that previously, they were allowed to discount some vulnerabilities that required methods of attack, such as local access to the machine or tricking a user into action. Additionally, the functionality of the attack had to be proven with a reasonable level of certainty.
In the new Cyber Essentials Plus, all critical and high vulnerabilities had to be remediated regardless of the attack vectors. This was a significant change, and many organisations that Assessors had previously been able to pass would now fail under the new assessment.
A new test of all cloud services was introduced with initial checks that all administrator accounts had 2FA enabled. From 2023, all accounts, even standard user accounts, needed to have 2FA present.
There were further tests to ensure that administrators did not work on a day-to-day basis with admin privileges, which was often a contentious requirement for developers.
Even for developers, having admin privileges in the course of everyday work was prohibited.
For macOS/Linux devices specifically, there had to be account separation between the user account (used for day-to-day work such as email/web browsing) and the administrative account of the machine. It was not compliant for a user to be a part of the “sudo” user group – there had to be complete separation.
Discover Cyber Essentials Certification
Help to protect your business from cyber attacks – find out more about Cyber Essentials and Cyber Essentials Plus certification.
Request a quote today or contact our team to discuss your needs.
