Key Takeaways
- Cyber Essentials (CE) is a self-assessment certification. Cyber Essentials Plus (CE+) includes independent technical testing.
- Both CE and CE+ are evolving as of April 2026 (Version 3.3, ‘Danzell’), making Multi-Factor Authentication (MFA) mandatory for all cloud services that offer it.
- CE remains the baseline for demonstrating cyber hygiene. CE+ provides higher assurance recognised in tenders and supply chain checks.
- CE+ testing will become more rigorous in 2026, with enhanced vulnerability scans, tighter patching validation, and updated malware resilience checks.
- A Cyber Essentials checklist helps organisations prepare for both CE and CE+ under the updated 2026 requirements.
- CE+ audit preparation should start early and include evidence gathering, configuration checks, and a pre-assessment to reduce remediation time.
Cyber Essentials and Cyber Essentials Plus continue to be two of the most widely recognised cyber security certifications for UK organisations. With updated requirements arriving in 2026, businesses are looking for clear guidance on how the schemes differ and what these changes mean in practice.
This guide explains the core differences between Cyber Essentials and Cyber Essentials Plus, outlines the 2026 updates, provides a practical Cyber Essentials checklist, and breaks down what CE+ testing will involve going forward. If you’re preparing for certification or planning a 2026 renewal, this article will help you understand your requirements and get ready with confidence.
What is Cyber Essentials?
Cyber Essentials is a government-backed certification designed to help organisations protect against the most common cyber attacks. It’s a self-assessment scheme that focuses on five technical control areas, each aligned with everyday cyber hygiene.
The assessment covers:
- Firewalls and boundary protection
- Secure configuration
- Access control
- Malware protection
- Software updates and patch management
A Cyber Essentials certificate shows customers, partners and suppliers that your organisation meets a recognised baseline for cyber security. As the scheme evolves in 2026, it remains a vital first step in demonstrating good practice and reducing the risk of common attacks.
What is Cyber Essentials Plus?
Cyber Essentials Plus builds on the core Cyber Essentials requirements but adds independent, hands-on technical testing. Instead of relying on self-assessment alone, CE+ involves an accredited assessor who offers Cyber Essentials Support, validating your controls through real-world checks.
CE+ typically includes:
- Internal and external vulnerability scanning
- Device configuration testing
- Malware resilience checks
- Multi-Factor Authentication (MFA) verification
- Email security checks
- Review of patching and software installation
- Validation of controls for remote workers
Cyber Essentials Plus is increasingly required in public sector tenders and supply chain assessments, offering a higher level of assurance that your controls are working as intended.
Related Reading: Cyber Insurance Basics: What Every UK Business Needs to Know
Cyber Essentials vs Cyber Essentials Plus: Key Differences in 2026
Understanding the distinction between Cyber Essentials (CE) and Cyber Essentials Plus (CE+) is essential when planning for certification, especially as the 2026 updates introduce stricter technical requirements. The following sections outline the major differences between the two schemes and what organisations can expect under the updated standard.
Validation Method
The way each certification validates your security controls is the clearest difference between CE and CE+. One relies on your own assessment, while the other requires independent testing to confirm that your environment is configured securely and operating as intended.
- Cyber Essentials: Self-assessment questionnaire submitted with evidence.
- Cyber Essentials Plus: Independent audit with hands-on testing by a qualified assessor.
This change in assurance level is the biggest practical difference.
Testing Depth
Although both schemes assess the same core controls, they do so at very different levels of detail. CE focuses on demonstrating your policies and configurations, while CE+ verifies how those controls work in real-world conditions.
- CE: Evidence-based review of policies, settings, and procedures.
- CE+: Real-world testing. Assessors run scans that are similar to penetration testing. They test MFA, inspect devices, check patch levels, and validate configurations.
The 2026 update increases the depth of CE+ testing, especially for cloud services, endpoints, and user access.
Assurance Level
In 2026, the assurance levels associated with CE and CE+ remain consistent with previous years, but the gap between them is widening. As CE+ testing becomes more rigorous, it provides stronger confirmation that an organisation is meeting modern security standards.
- CE: Baseline assurance recognised across the UK.
- CE+: Higher assurance required by many regulated industries and government contracts.
Cost and Effort
The level of time, preparation, and internal coordination also differs significantly between the two schemes. CE remains the lighter option for smaller organisations, while CE+ requires more detailed evidence and testing.
- CE is quicker, cheaper, and suitable for organisations looking to demonstrate basic cyber hygiene.
- CE+ requires more preparation, more evidence, and more internal coordination.
Under the 2026 framework, organisations should expect CE+ testing to take longer due to increased technical scope.
Related Reading: The Case for Companies to Embrace Managed Cyber Security
What’s Changing in 2026 for CE and CE+?
Both Cyber Essentials and Cyber Essentials Plus are being strengthened in 2026. The technical changes are defined in the NCSC’s Requirements for IT Infrastructure v3.3 (‘Danzell’) and will apply to assessments created on or after April 27, 2026. The updates focus on improving cloud security controls, modern authentication standards, device security, and audit clarity.
Stricter Cloud Service Requirements
Cloud providers and SaaS platforms must meet clearer, more detailed security controls. Organisations will need to demonstrate that:
- Shared responsibility models are understood
- Cloud configurations follow secure defaults
- Monitoring and logging are enabled where available.
Crucially, in 2026, cloud services cannot be descaled or removed from scope if they store or process company data.
Updated Multi-Factor Authentication Standards
MFA will become mandatory for a wider range of services. The new rules tighten:
- Coverage requirements
- Acceptable MFA methods
- Enforcement for remote access, admins, and cloud apps.
New Device and Endpoint Expectations
2026 rules place more emphasis on endpoint resilience:
- Supported operating systems only
- More rigorous patching windows
- Clearer configuration standards
- Stronger requirements for remote users and BYOD.
New Technical Testing Requirements for CE+
CE+ testing will become more thorough and standardised. Expect:
- Enhanced vulnerability scans
- Malware resistance checks
- Stronger password and authentication checks
- Evidence of patching within tighter timescales
- More transparent device sampling rules.
Revised Scoping Rules
The scheme will expand requirements covering:
- Shadow IT
- Unmanaged or unknown devices
- Third-party and contractor equipment
- Personal devices involved in sensitive workflows.
Annual Renewal Changes
The April 2026 update is expected to introduce:
- More consistent submission formats
- Better evidence retention guidance
- More formal alignment between CE and CE+ submissions.
Related Reading: The Reality of Ransomware: Lessons from the Frontlines
Cyber Essentials Checklist for 2026
Use this checklist to assess your readiness for the updated 2026 standard:
- Firewall and boundary defences are configured and documented
- Default settings on all devices have been replaced with secure configurations
- All user accounts follow least-privilege principles
- MFA is enabled for all cloud services and remote access
- Anti-malware controls are active and centrally managed
- Patching meets the required timeframes
- Unsupported operating systems are removed or isolated
- A full asset list of devices, software, and cloud platforms is maintained
- Logging and monitoring are active on core systems
- Mobile devices and BYOD are securely configured
- Password policies meet modern authentication standards
- Cloud configurations follow secure defaults and shared responsibility guidance.
CE Plus Testing: What Auditors Will Check in 2026
CE+ assessors validate your Cyber Essentials controls through hands-on testing. In 2026, expect the following areas to receive more detailed scrutiny.
External and Internal Vulnerability Scans
Assessors run both external and internal scans to identify unpatched vulnerabilities or misconfigurations.
Endpoint Configuration Review
Randomly selected devices will be checked for:
- OS version
- User account permissions
- Patch status
- Anti-malware tools
- Installed applications.
MFA and Password Validation
Assessors confirm MFA is enforced and test password strength and authentication policies.
Malware Resilience Testing
Checks include:
- Malware protection configuration
- Controlled malware execution tests (where permitted)
- Policy enforcement.
Email and Web Filtering Checks
Verification of phishing protection, spam filtering, and safe browsing controls.
Boundary Security and Network Controls
Firewalls, gateways, and segmentation settings are tested to ensure correct configuration.
Remote User Testing
Home and remote devices must meet the same standards as office endpoints.
Related Reading: Top 10 Cyber security Training Tips to Protect Your Business from Attacks
CE+ Audit Preparation (How to Get Ready)
Before undergoing Cyber Essentials Plus testing, it’s important to make sure your systems, devices and evidence are fully prepared. CE+ involves hands-on technical verification, so a little preparation goes a long way in reducing delays, avoiding remediation work and ensuring a smooth audit. The steps below outline what organisations should focus on before their assessment.
Understand Your Scope Clearly
Accurate scoping prevents delays. Include:
- All devices
- All cloud platforms
- Admin accounts
- Remote workers
- Third-party access (if applicable).
Fix Known Issues Before Testing
Prepare by:
- Running internal scans
- Updating software and firmware
- Enforcing MFA everywhere
- Reviewing administrator accounts
- Removing unsupported devices.
Prepare Evidence in Advance
Have the following ready:
- Screenshots of configurations
- Patch logs
- Asset registers
- Cloud security settings
- Updated policies.
Run a Pre-Assessment
A mock CE+ audit or gap analysis helps uncover issues early, reducing pressure during formal testing.
Do You Still Need Both CE and CE Plus in 2026?
Cyber Essentials is always the required first step, and organisations cannot achieve CE+ without first passing the CE self-assessment.
From 2026 onward:
- CE remains suitable for baseline assurance
- CE+ is recommended for organisations handling sensitive data, supplying the public sector, or operating in regulated industries.
Many industries and tenders already prefer or require CE+, and this trend will continue as controls tighten.
Related Reading: Protect Your Business with a 45-Minute Free IT Health Check
Choosing the Right Certification for Your Business
Choosing between Cyber Essentials and Cyber Essentials Plus depends on your organisation’s size, risk profile, and the expectations of your customers or supply chain. Both certifications strengthen security resilience, but each offers a different level of assurance depending on your environment and obligations.
- Choose CE if you need to demonstrate basic cyber hygiene and meet standard supplier expectations.
- Choose CE+ if you handle customer data, support remote working at scale, respond to public sector tenders, or want a higher level of assurance.
In 2026, the stronger cloud and device controls mean Cyber Essentials Plus will be the more suitable option for many organisations with modern, cloud-first environments.
How Nexus Can Support Your Cyber Essentials Journey
Preparing for Cyber Essentials or Cyber Essentials Plus can feel time-consuming, especially with the updated 2026 controls. Our team provides end-to-end support to make the process smooth, clear and achievable.
We help organisations with:
- CE and CE+ readiness assessments
- Gap analysis and remediation planning
- Cloud and endpoint configuration reviews
- Pre-audit checks and documentation
- Ongoing support with renewals.
Our specialists track every change to the scheme so you never have to scramble or second-guess. We’ll get your controls in shape, guide you through the audit, and make sure you come out certified, confident, and protected.
Article Sources
- National Cyber Security Centre. Cyber Essentials: Overview. Accessed December 3rd, 2025
- National Cyber Security Centre. Cyber Essentials Plus Test Specification v3.2. Accessed December 3rd, 2025
- National Cyber Security Centre. Cloud Security: Shared Responsibility Model. Accessed December 3rd, 2025
- Government Digital Service. Principle of Least Privilege Access. Accessed December 3rd, 2025