2026: April Scheduled Update
Cyber Essentials latest update
IASME and the National Cyber Security Centre (NCSC) have confirmed the next scheduled update to the Cyber Essentials requirements. The updated Requirements for IT Infrastructure v3.3 will take effect from 27 April 2026.
Organisations starting a Cyber Essentials assessment after this date will follow the new version. Assessments created before this cut-off will continue under the existing requirements, with up to six months to complete.
This annual review focuses on improving clarity and consistency within the standard. It should be noted the changes between the previous ‘Willow’ questions to newly titled ‘Danzell’ questions are quite significant compared to earlier scheme changes. There are key changes of the requirements on organisations seeking to certify at both CE basic and CE plus level. Though, most changes are refinements to definitions and scope rather than the introduction of new technical controls. However, some updates will be important for organisations preparing for certification. For full details, see the official announcement on the IASME website.
Summary of key changes
- Stronger MFA expectations: Multi-factor authentication (MFA) remains a core control. Under the updated marking criteria, where a cloud service supports MFA, it must be enabled. If available MFA options are not implemented, the assessment is likely to result in a failure. This change reinforces the importance of MFA in protecting systems and data.
- Cloud services are defined and included in scope: The standard now includes a clear definition of what constitutes a cloud service. Any cloud-hosted tools or platforms used to store or process organisational data must be included within scope and cannot be excluded.
- Simplified scope criteria: Language relating to internet connections has been clarified so that any device capable of connecting to the internet, whether through inbound or outbound connections, falls within scope. Where parts of an organisation are excluded from scope, applicants must clearly explain what has been excluded, why it has been excluded, and how it has been segregated from the rest of the network infrastructure.
- Updated application development guidance: The former ‘web applications’ section has been renamed Application Development and now references the UK Government’s Software Security Code of Practice. Commercially available web applications are in scope by default, while bespoke internal components are treated separately.
- Greater emphasis on backups: Guidance on backups has been repositioned earlier in the requirements document to highlight their importance in supporting recovery following a cyber incident.
- Updated user access control guidance: The user access control section places increased emphasis on modern authentication methods, particularly passwordless approaches such as passkeys and FIDO2 authenticators. These technologies provide secure alternatives to traditional passwords and are recognised as best practice.
What This Means for Organisations
The April 2026 update is designed to remove ambiguity and strengthen the implementation of the core technical controls. Most organisations should find alignment straightforward. However, the revised approach to MFA assessment, particularly across cloud services, may require review to ensure full compliance.
To prepare for the updated requirements, organisations should review their authentication controls, cloud service usage, and how their infrastructure is scoped.
What are the differences between Cyber Essentials before April 2026 and after the April 2026 update?
We are closely monitoring the April 2026 Cyber Essentials update and supporting organisations in understanding exactly what is changing and how it may affect their certification.
| Area | Before April 2026 | From April 2026 (Version 3.3) | What This May Mean for You |
|---|---|---|---|
| Sample remediation requirements (CE Plus level only) | An initial random sample set was selected e.g. 10 PC devices, based on the IASME sampling requirement. The sample was tested and iteratively remediated until compliance was achieved. | An initial random sample set is selected; however, if remediations are required on the initial samples, instead of demonstrating remediation of those already selected devices, a new random sample of additional devices must be selected to demonstrate remediation of any issues. | This increases the importance of having staff available at relatively short notice throughout the assessment and quick coordination in remediating issues found (particularly where 3rd party IT support is involved). |
| 14-day critical updates marking | The requirement to install high or critical risk updates was a non-compliance, not leading to an auto-fail. | The requirement for organisations to update has become a failing issue. High-risk or critical security updates for operating systems, router and firewall firmware, and applications must be installed within 14 days of release. | Organisations must keep all software updated and provide assessors with evidence (CE+). |
| No changes are allowed to the CE report | Changes could be made if a client had changed the CE basic certificate. If something was incorrectly stated (e.g. MFA), it could be amended. | No changes can be made to the CE basic certificate or report during the CE+ process. | Organisations must ensure full infrastructure awareness before submission. Errors may require redoing CE Basic rather than retrospective amendments. |
| Multi-Factor Authentication (MFA) | MFA was required, but ambiguity existed around cloud services where MFA was available but not enabled. | If MFA is available on a cloud service (free or paid), it must be enabled. Not enabling it results in automatic failure. | MFA must be switched on across all cloud systems (email, file storage, CRM). If available and not activated, the assessment will fail. |
| Cloud Services – Definition | Cloud services were not clearly defined in the requirements. | Cloud services are clearly defined as services accessed over the internet that store or process organisational data. | Systems such as Microsoft 365, Google Workspace, accounting platforms and CRMs clearly fall within scope. |
| Cloud Services – Scope | Some organisations interpreted scope in ways that excluded certain cloud services. | Cloud services storing or processing organisational data must be included in scope and cannot be excluded. | Key cloud systems must now be included. Expect assessors to require them in scope. |
| Scoping Clarity | Terms such as “untrusted” and “user-initiated” allowed flexibility in defining scope. | Terminology has been clarified. Devices and services connected to the internet handling organisational data are expected to be included unless properly segregated. | Internet-connected business systems will likely need inclusion. Clear network segregation is essential if exclusions are claimed. |
| Backups | Backup requirements were included but positioned later in the documentation. | Backup guidance has been moved earlier to emphasise its importance. | Greater emphasis on demonstrating recoverability from ransomware or data loss. Backups should be configured and regularly tested. |
| Application / Web Security Section | The requirements referred to web applications. | The section has been reframed as Application Development, aligning more clearly with secure development principles. | Organisations developing software may need clearer evidence of secure development practices. |
| Assessment Version Change | Organisations are assessed against the version in place when their assessment account is created. | Assessments created on or after 27 April 2026 will use Version 3.3. Earlier accounts can be completed under the previous version within six months. | To certify under current rules, create your assessment account before 27 April 2026. After that, new rules apply. |
2025: Terminology Update
Willow Question Set, Expanded Clarifications and Enhanced Security Protocols
IASME and NCSC have announced a new ‘Willow’ question set and related documentation (Requirements for IT Infrastructure v3.2), which took effect for all Cyber Essentials applications started on or after 28 April 2025.
This update introduces minor clarifications primarily focused on definitions, alongside enhancements to security protocols.
- Terminology: ‘Plugins’ are now called ‘extensions’, to align with industry usage and reduce ambiguity.
- Remote work: The definition of ‘remote working’ now explicitly includes work from locations such as cafes, hotels, and public transport, and not just home offices.
- Passwordless authentication: The scheme now accepts modern passwordless authentication methods, such as biometrics, security keys, and one-time codes, alongside traditional multi-factor authentication.
- Vulnerability fixes: The terminology has broadened from ‘patches and updates’ to ‘vulnerability fixes’, encompassing a wider range of approved methods for addressing security issues.
- Improved clarity: Various questions and guidance materials have been refined to help applicants understand and meet the requirements more effectively.
- Security alignment: The Cyber Essentials scheme continues its annual review cycle to remain relevant to modern and evolving cyber threats.
2024: Minor Clarifications
Incremental Clarifications Strengthened Cyber Essentials
Cyber Essentials updates in 2024 focused on minor clarifications and improvements to guidance. New resources, including the Cyber Essentials Knowledge Hub, were introduced to provide more sector-specific advice and support to applicants and certification bodies.
Subtle refinements in documentation language made the application process clearer and more accessible, while all core technical controls and requirements remained unchanged.
2023: Streamlining Security Compliance
Introduction of the Montpellier Question Set and Targeted Clarifications
The UK’s Cyber Essentials scheme launched the new ‘Montpellier’ question set and several important clarifications to streamline security compliance for UK organisations. The update replaced the previous ‘Evendine’ question set and was effective on April 24th 2023.
- Simplified device documentation: Applicants only needed to declare the make and operating system of user devices in scope.
- Firmware scope refined: Only the firmware of firewalls and routers were in scope for update requirements.
- Third-party device handling: Guidance clarified how to treat third-party devices within assessment scope.
- Device locking flexibility: Manufacturer default lockout settings could be accepted if unchangeable.
- Anti-malware flexibility: Protections no longer needed to be signature-based.
- Zero Trust guidance added: Guidance on Zero Trust Architecture and asset management was introduced.
- Language and structure update: Style and language refresh, with reordered technical controls.
- Cyber Essentials Plus: Testing specification updated with refreshed malware protection tests.
2022: Significant Update
Cyber Essentials Certification – a guide to the 2022 update
Cyber Essentials and Cyber Essentials Plus changed in 2022. New infrastructure requirements and amendments to technical controls announced by the National Cyber Security Centre (NCSC) came into force on January 24, 2022.
It was essential information for any organisation looking to become certified or work as a supplier to organisations such as the Ministry of Defence (MoD) and the National Health Service (NHS).
What was the Cyber Essentials 2022 update?
The new Cyber Essentials question set – known as Evendine – launched on January 24, 2022. It was the most significant change to the standard since its introduction.
Cloud service changes
All cloud services were required to be within scope of Cyber Essentials.
Password requirement changes
Changes were introduced to passwords and multi-factor authentication requirements.
Requirements to declare devices and BYOD
Servers and end-user devices had to be declared, including operating system details. BYOD devices accessing business data were required to be fully in scope.
Cyber Essentials 2022 – thin clients
All thin clients needed to be supported and receive security updates.
Routers and firewalls requirements
These required a minimum 8-character password and either MFA or restricted login access.
Discover Cyber Essentials Certification
Help protect your business from cyber attacks – find out more about Cyber Essentials certification.
Request a quote today or contact our team to discuss your needs.
