Cyber Essentials has always been about basic cyber hygiene. However, the April 2026 update (v3.3) marks a shift from interpretation to obligation. The scheme is being applied more strictly, with the NCSC removing ambiguity around identity, cloud services, and device scoping.
The updated Cyber Essentials requirements place absolute emphasis on identity and cloud services. Grey areas regarding untrusted networks have been removed, and controls that were previously marked leniently, specifically regarding Multi-Factor Authentication (MFA), will now result in an automatic failure if missed.
For organisations preparing for certification this year, a first-time pass depends on understanding these confirmed changes and preparing methodically rather than rushing the questionnaire.
This guide provides a practical Cyber Essentials checklist for 2026, focused on passing under the confirmed v3.3 standard.
What to Expect from Cyber Essentials in 2026?
The NCSC and IASME have confirmed the Cyber Essentials support requirements for the April 2026 update (v3.3). These changes come into effect for all assessments created on or after 27 April 2026.
The interpretive approach is largely gone. The new standard introduces stricter, binary pass/fail criteria in several key areas:
- MFA is No Longer Optional: This is the headline change. If a cloud service supports Multi-Factor Authentication (even if it is a paid-for extra), you must enable it. Previously, some discretion was allowed. From April 2026, failing to enable available MFA on any cloud service is an automatic fail.
- Zero-Ambiguity Scoping: The terms “untrusted network” and “user-initiated traffic” have been removed to eliminate loopholes. Put simply: if a device connects to the internet and holds your data, it is in scope.
- “Application Development” Replaces “Web Apps”: The scope for software security has widened. If you develop your own commercial applications, you must now align with the Government’s Software Security Code of Practice.
- Passwordless is Preferred: The guidance has been updated to explicitly encourage “passwordless” authentication (such as FIDO2 keys and biometrics) over complex password policies.
Related Reading: How To Choose the Right IT Support Provider for Your Business
Step One: Define Your Scope Properly
Incorrect scoping remains one of the most common reasons organisations fail Cyber Essentials. In the 2026 update, assessors have removed the specific qualifiers that allowed some devices to be excluded.
The terms “untrusted” and “user-initiated” have been deleted from the definitions. This means that any device that can establish a connection to the internet, inbound or outbound, is effectively in scope unless it is technically segregated (e.g., via a VLAN).
- Laptops and desktops used by staff
- Mobile phones and tablets accessing work email or apps
- Firewalls, routers, and edge devices
- Servers and virtual machines, whether on-prem or hosted.
Cloud services such as Microsoft 365, finance platforms, CRMs, and collaboration tools.
Crucially, the new update explicitly defines Cloud Services and states that they cannot be excluded. You cannot remove a SaaS platform from scope simply because a third party manages it. If it stores your data and you access it via the internet, you are responsible for its access controls.
What This Looks Like in Practice
A common failure scenario involves what’s called Shadow IT. A marketing team may use a third-party file-sharing platform outside of Microsoft 365. Under the v3.3 rules, if that service holds organisational data, it must be declared and it must meet MFA requirements.
Action: Before answering a single assessment question, create a complete asset register covering hardware, software, users, and cloud services. The register becomes the foundation of your Cyber Essentials checklist and prevents accidental omissions that can invalidate the entire submission.
Related Reading: Ransomware Prevention Checklist for 2026: Essential Steps for UK Businesses
Step Two: Enforce MFA Everywhere It Exists
Multi-Factor Authentication is the most strictly enforced area of the 2026 Cyber Essentials assessment. The new marking criteria are binary: If a system supports MFA, it must be enabled for all users.This applies even if:
- MFA requires a paid upgrade (e.g., upgrading a freemium account).
- The service is “low risk” but holds organisational data.
- The account is an administrator or service account.
If MFA is available but not enforced on any in-scope system, the assessment will result in an automatic failure.
The standard does not mandate a single MFA method, but the new guidance explicitly recommends moving toward FIDO2 and Passwordless methods (such as Windows Hello or hardware keys) rather than relying on legacy SMS codes.
How This Shows up During an Assessment
A typical failure occurs when MFA is enabled for email but not for a supporting system. For example, staff may be protected by MFA when signing into Microsoft 365, but a VPN, remote desktop gateway, or cloud management portal still allows password-only access.
Another common issue involves administrators. Standard user accounts may be protected, while local admin, service, or break-glass accounts are excluded. Assessors treat these as higher risk, not exceptions.
In both cases, the technology exists to enforce MFA, but inconsistent application creates a gap that may lead to a failed outcome.
Action: List every in-scope system that supports MFA and verify it’s enforced for all users, including administrators and service accounts. Where possible, use Single Sign-On (SSO) through Microsoft Entra ID to enforce a single, strong MFA policy across all your apps.
Related Reading: Managing Your Third-Party Risks: How Nexus Can Help
Step Three: Secure Devices Properly
Device security is a high-volume failure area. With the removal of user-initiated caveats in the 2026 update, the requirement is clear: every device must meet the baseline, regardless of whether it is in the office or at home.
Every in-scope device is anticipated to meet a clear baseline standard, including:
- A supported operating system and supported software versions.
- Automatic security updates enabled and functioning.
- Screen locks that activate after a short period of inactivity.
- Active, up-to-date malware protection.
- No unnecessary software, services, or user-installed tools.
Where organisations cannot control the security of a home router (which is common), the responsibility shifts entirely to the device. Host-based firewalls (like the Windows Defender Firewall) must be active and correctly configured.
Administrative access is another common weakness. Day-to-day user accounts must not have admin rights. Privileged access should be limited, time-bound where possible, and used only when required for specific tasks.
How This Is Commonly Tested
Assessors frequently identify issues on devices that are technically present but poorly governed. For example, a laptop issued several years ago may still function but no longer receive operating system updates. Even if it’s rarely used, it remains in scope and will cause a failure.
Another common scenario involves convenience-driven admin access. A senior staff member may have local admin rights to install software while travelling. Even if this has never caused an issue, it violates Cyber Essentials device security requirements.
Action: Review every device in scope and confirm it meets the Cyber Essentials device security baseline. Remove local admin rights from standard user accounts, enforce automatic updates, and ensure remote devices apply the same protections as office-based systems via Intune or similar tools.
Related Reading: Top 10 Cyber Security Training Tips to Protect Your Business from Attacks
Step Four: Patch Within 14 Days Without Exception
The 14-day patching rule remains one of the most strictly enforced controls in Cyber Essentials. In 2026, assessors will apply this requirement consistently and with little tolerance for delay.Any critical or high-risk security update must be installed within 14 days of release. This applies across your entire environment, including:
- Operating systems
- Web browsers
- Business and line-of-business software
- Plugins, extensions, and supporting components.
If a vulnerability is publicly known and rated as high risk, organisations are expected to act within the defined timeframe. The reason for the delay is not considered; only the outcome matters.
End-of-life software automatically fails the assessment. Once a product is no longer supported by the vendor, no amount of compensating controls can bring it back into compliance.
Because of this, patching is now a governance issue tied directly to visibility and process.
How Patch Failures Usually Happen
Most patching failures are caused by blind spots. A common example is a browser extension or third-party plugin that does not update automatically and is overlooked during routine maintenance.
Another frequent issue involves devices that are powered on infrequently. A laptop used only for travel or a legacy virtual machine may miss multiple updates, even though core systems are kept current.
Manual patching rarely stands up to scrutiny at scale. Automation is strongly recommended to ensure consistency, provide audit evidence, and remove reliance on individual action.
Action: Identify all in-scope software and confirm it is supported, actively patched, and monitored. Implement automated update mechanisms wherever possible and review patch status regularly to ensure no device or application falls outside the 14-day requirement.
Related Reading: Is Microsoft 365 Copilot Worth It for SMEs in 2026? Costs, Risks, and ROI
Step Five: Control Access, Not Just Accounts
Access control failures are one of the easiest ways to fail Cyber Essentials, often without organisations realising it. The issue is rarely that accounts exist, but that access is not being actively managed.
The 2026 update places a renewed focus on authentication methods. While distinct passwords are still permitted, the guidance now actively encourages Passwordless Authentication (e.g., Biometrics, FIDO2 keys, Push notifications) as the preferred standard.
- Each user has a unique, named account (No shared logins).
- Access is removed immediately when someone leaves.
- Administrative access is separated from standard user access (e.g., separate admin accounts).
Assessors do not review access control systems in isolation. They assess the environment as a whole. A single unmanaged admin account or shared login can invalidate an otherwise compliant assessment.
What Access Control Looks Like in Practice
In practice, access control failures often appear during staff changes.
For example, a former employee’s account remains active in Microsoft 365, a shared admin password is still used for a firewall, or an old service account continues to exist without clear ownership.
Another common issue is convenience-based privilege creep. A user is granted admin rights to solve a short-term problem, and those rights are never removed. Over time, this creates multiple privileged accounts that are no longer justified.
Strong access control relies on visibility. Organisations need to know who has access, what level of access they hold, and why it exists.
Action: Review all user and administrator accounts across in-scope systems. Remove shared logins, disable default credentials, and confirm that admin access is limited, justified, and protected with MFA. Ensure joiner and leaver processes remove access immediately when roles change.
Related Reading: The Reality of Ransomware: Lessons from the Frontlines
Step Six: Prepare Evidence Before You Apply
Cyber Essentials is a self-assessment scheme, but it’s not trust-based. Organisations are expected to demonstrate that controls are in place, not simply state that they exist.In 2026, assessors are increasingly requesting supporting evidence during validation checks, particularly where answers relate to MFA enforcement, device security, and patching. If evidence cannot be produced quickly, assessments are often delayed or failed.
Typical evidence includes:
- Screenshots of Conditional Access policies.
- MFA enforcement reports from identity platforms.
- Device compliance summaries (e.g., from Microsoft Intune).
- Patch status dashboards.
Evidence must reflect the current state of the environment. Outdated screenshots or historical reports are unlikely to be accepted if they do not align with how systems are configured at the time of submission.
What Evidence Preparation Looks Like in Practice
Evidence preparation is where many organisations encounter last-minute problems. It could be that a policy exists, but there’s no screenshot showing enforcement. Or, MFA is enabled for administrators, but there’s no report confirming coverage for all users. Devices are patched, but patching is not centrally visible.
Preparing evidence in advance allows teams to spot gaps early and resolve them calmly, rather than rushing changes after submission.
Action: Before starting your Cyber Essentials application, gather evidence for every control area. Store it centrally, ensure it reflects the live environment, and confirm it can be produced quickly if requested during assessment.
Related Reading: Nine Essential Steps to Migrate to the Cloud
Cyber Essentials Plus: What the Audit Will Check
- Scan external IP addresses
- Test patch levels on internal systems
- Inspect a sample of user devices
- Attempt safe malware downloads (e.g., EICAR files).
- Verify MFA enforcement in real time.
If one sampled device fails, the audit can fail.
Preparation for Plus should be treated as an internal mock audit rather than an extension of the basic questionnaire.
A Practical Cyber Essentials Checklist for 2026
Before submitting your assessment, confirm that you can confidently answer “yes” to all of the following:- All internet-facing systems (including all cloud apps) are identified
- MFA is enabled on every capable service for every user.
- All devices are supported, patched, and have local firewalls enabled.
- No user browses the web or checks email with an Administrator account.
- All high-risk patches are applied within 14 days; no EOL software exists.
- You have screenshots or logs to prove the above.
If any of these areas are uncertain, remediation should happen before registration, not after.
Passing First Time Is About Preparation, Not Perfection
Cyber Essentials is designed to confirm that basic controls are consistently applied. In 2026, consistency matters more than complexity.
Organisations that pass first time tend to approach Cyber Essentials as a structured technical exercise, not a form-filling task. They define scope early, enforce MFA centrally, standardise device security, and gather evidence before starting the assessment.
That approach reduces stress, avoids retests, and creates a stronger security baseline that extends beyond certification.
If you want a second set of experienced eyes before you submit, a short pre-assessment can remove uncertainty and catch the issues that cause most first-time failures.
Our team reviews scope, MFA enforcement, device security, and evidence readiness against current Cyber Essentials guidance, so you can proceed with confidence rather than guesswork.
Article Sources
- National Cyber Security Centre (NCSC) & IASME. Cyber Essentials: Requirements for IT infrastructure v3.1. Accessed January 26th, 2026
- IASME Consortium. Upcoming Changes to the Cyber Essentials Scheme: April 2026 Update. November 3rd, 2025
- National Cyber Security Centre (NCSC). Multi-factor authentication for your corporate online services. September 26th, 2024
- National Cyber Security Centre (NCSC). Vulnerability Management and Patching (10 Steps to Cyber Security). Accessed January 26th, 2026
- IASME. Upcoming Changes to the Cyber Essentials scheme: April 2026 Update. January 15th, 2026