Rhonda Baker

~ Monday, March 30, 2026

Cyber Essentials Changes in 2026: What Your Business Needs to Know

 

Cyber Essentials is changing in April, and this time, the updates are more significant than many businesses expect.

From April 27th 2026, new requirements will come into force that tighten security expectations, remove grey areas, and raise the bar for certification. While Cyber Essentials has always been a practical, accessible framework for SMBs, these updates reflect a growing need for stronger, more consistent protection across all organisations.

If your business relies on Cyber Essentials (or plans to), now is the time to understand what’s changing - and what you need to do next to stay compliant.

Why Cyber Essentials Is Being Updated


Cyber Essentials is designed to protect businesses from the most common cyber threats, but those threats are constantly evolving and so must the controls designed to stop them.

Attackers are increasingly targeting smaller organisations, often exploiting simple weaknesses like weak passwords, unpatched systems, or unsecured cloud accounts. The annual updates to Cyber Essentials ensure the scheme continues to reflect real-world risks, rather than outdated assumptions.

The 2026 changes are focused on:

  • Improving clarity and consistency across assessments
  • Strengthening real-world security controls
  • Ensuring organisations are properly protected (and not just ticking boxes)

In short, this update is about raising standards while making expectations clearer, so businesses know exactly what “good security” looks like.

What's Changing in April 2026?

Here are the key updates that will impact most SMBs, along with what they mean in practical terms:

1. A New Question Set (Danzell)

The existing “Willow” question set is being replaced with a new version known as Danzell.

This isn’t just a simple refresh. The new question set has been designed to remove ambiguity and ensure that all certification bodies assess organisations in a more consistent way. In the past, some questions allowed for interpretation, which could lead to confusion or inconsistent outcomes.

With Danzell, you can expect:

  • Clearer, more direct questions
  • More structured responses
  • Less room for interpretation or guesswork

For businesses, this means the process should feel more straightforward and more rigorous. You’ll need to be confident that your answers accurately reflect what’s in place across your organisation.

2. MFA Is Now Mandatory (No Exceptions)

Multi-factor authentication (MFA) has been strongly recommended for years - but from April 2026, it becomes a strict requirement wherever it is available.

This is one of the most important changes in the update.

If a system supports MFA, you must enable it. There are no exceptions based on cost, convenience, or user preference.

That means:

  • MFA must be enabled across all relevant systems and user accounts
  • Premium features that include MFA may now be required
  • Any gaps in MFA coverage could result in an automatic failure

This reflects the reality that compromised credentials remain one of the most common causes of cyber breaches. MFA significantly reduces that risk, making it a non-negotiable control.

3. Cloud Services Are Fully in Scope

Cloud usage has grown rapidly in recent years and Cyber Essentials is now fully aligned with that reality.

The 2026 update tightens the definition of cloud services and removes any ambiguity around what needs to be included. If your organisation uses cloud-based systems, they are in scope.

This includes:

  • Productivity platforms like Microsoft 365 or Google Workspace
  • Cloud-based finance or CRM systems
  • File storage and collaboration tools
  • Even business-related social media accounts

Many businesses underestimate how many cloud services they actually use. Identifying and securing them all is now a critical part of achieving certification.

4. Stricter Patch Management Rules

Keeping systems up to date has always been a core part of Cyber Essentials, but the 2026 update introduces stricter enforcement.

Organisations are now expected to apply fixes for high-risk and critical vulnerabilities within 14 days of release. This includes not just traditional software patches, but any vendor-recommended security updates.

What’s changed is the consequence:

  • Missing critical updates within the timeframe can now lead to automatic failure
  • There is less tolerance for delays or inconsistent patching processes

This reflects the speed at which attackers exploit newly discovered vulnerabilities. A delay of even a few weeks can significantly increase your risk exposure.

5. Tighter Scoping Rules

Defining the scope of your Cyber Essentials certification has become more structured and more important.

In previous versions, some organisations were able to define scope in ways that didn’t fully reflect their operational environment. The 2026 changes aim to close those gaps.

Now, businesses must:

  • Clearly justify what is included (and excluded) in scope
  • Ensure the certification accurately represents the organisation
  • Follow stricter rules when dealing with group structures or multiple entities

There are also new options available for organisations that want to certify multiple parts of a group correctly, without oversimplifying or misrepresenting their setup.

6. Changes to Cyber Essentials Plus

Cyber Essentials Plus (the audited version of the certification) is also being strengthened.

Updates include:

  • More robust testing procedures
  • Improved sampling methodologies
  • Greater validation of controls such as MFA and patching

There is also a stronger emphasis on point-in-time accuracy, meaning what you declare in your assessment must match what is actually in place when testing is carried out.

For businesses, this means preparation is key. It’s not enough to plan improvements - controls must be fully implemented and consistently applied before your audit.

What This Means For Your Business

For most small to medium businesses, these changes won’t require a complete overhaul of your IT environment, but they will highlight any weaknesses that may have previously gone unnoticed.

Common areas where businesses may struggle include:

  • MFA not fully enforced across all systems
  • Unknown or unmanaged cloud services
  • Delays in applying critical updates
  • Incorrect or overly simplified certification scope

The biggest risk isn’t the changes themselves, it’s being unprepared when your renewal comes around. Failing Cyber Essentials can delay contracts, impact customer confidence, and create unnecessary stress.

Prepare Early and Stay Protected with Naglotech


The 2026 Cyber Essentials updates are designed to raise standards, so the earlier you act, the easier your certification will be. Start by reviewing your security now: ensure MFA is enabled across all systems, create a full inventory of cloud services, confirm patch management meets the 14-day requirement, and check that your certification scope is accurate.

At Naglotech, we help SMBs across the East of England navigate these changes with confidence. From Cyber Essentials and Cyber Essentials Plus audits to gap analysis, remediation plans, and ongoing monitoring, we guide you every step of the way. Our goal isn’t just to help you pass, it’s to ensure your business is genuinely secure.

Act now to avoid last-minute surprises, strengthen your cyber posture, and achieve smooth, successful certification. Contact Naglotech today to get ahead of the 2026 changes and protect your business for the future.

Get In Touch Today

Don’t wait until the next Cyber Essentials renewal to address potential gaps in your security. Our team at Naglotech is ready to guide you through every step, from initial assessment and gap analysis to full certification and ongoing support.

Whether you’re new to Cyber Essentials or looking to upgrade to Cyber Essentials Plus, we make the process simple, practical, and tailored to your business.

Talk to us today and secure your business against evolving cyber threats.
Call 01255 745745
Email: contact@naglotech.com
Discover more about Cyber Essentials by visiting our web page here.

Cookies Consent
This site uses cookies