Cyber Essentials - April 2026 Update
What Your Business Needs to Know
Cyber Essentials is evolving once again and this April’s update introduces some of the biggest changes we've seen in years. As cyber threats grow more sophisticated, the National Cyber Security Centre (NCSC) and IASME are tightening requirements to ensure UK organisations stay protected.
At Cirrus MSP, we make security simple. Here’s your clear, human‑friendly breakdown of what’s changing, why it matters, and how to prepare.
1. Mandatory MFA Everywhere
Multi‑Factor Authentication has officially moved from “highly recommended” to non‑negotiable. If a service supports MFA, whether it’s free, paid, hidden behind a licence tier or added through an identity provider - it must be enabled for all users.
If MFA is available but not switched on, your organisation will automatically fail Cyber Essentials.
This includes:
Microsoft 365 & Google Workspace
Azure, AWS & other cloud platforms
SaaS applications
VPNs and remote access systems
Identity providers
2. Critical Patches Must Be Installed Within 14 Days
The new rules enforce a strict 14‑day window to apply any high‑risk or critical security updates.
This applies to:
Operating systems
Firewalls & routers
Applications, plugins, and extensions
Miss the deadline? That’s an automatic fail. Organisations will need stronger patch management processes and faster change cycles.
3. Cloud Services Are Fully In‑Scope
Any cloud service that stores or processes organisational data is now explicitly included in Cyber Essentials scope.
This means:
No exclusions for SaaS tools
No assuming the cloud provider "has it covered"
You must secure service configurations (e.g., MFA, admin rights, conditional access, etc.)
4. Stricter Scope Rules — More Devices Count
The updated guidance includes any device that:
Connects to the internet
Sends or receives data
Routes or manages traffic
Examples:
Laptops & desktops
Mobile phones & tablets
On‑prem servers
Firewalls & switches
Cloud workloads
If you want to exclude something, you’ll need documented network segmentation proving it cannot communicate with in‑scope systems.
5. Updated Password Requirements
Cyber Essentials is moving in line with modern security principles, less complexity, more practicality.
With MFA enabled:
Minimum 8‑character passwords
Without MFA:
Minimum 12‑character passwords or
Minimum 8 characters with common‑password blocking
Additionally:
No more forced password expiry
Password managers encouraged
Complexity rules no longer the main priority
6. Passwordless Authentication Encouraged
The update strongly supports modern, secure methods such as:
Passkeys
FIDO2 hardware keys
Biometrics
Hardware tokens
The direction is clear: fewer passwords, more secure authentication.
7. Stronger Backup & Recovery Expectations
Organisations must now show:
Documented backup procedures
Regular testing
Evidence they can restore data after incidents
This aligns Cyber Essentials more closely with ransomware resilience.
8. Requirements for Secure Application Development
For organisations that build or maintain software, you’ll now need:
Secure coding practices
Vulnerability scanning & patching
Documented development and release processes
This is especially important for internal tools or customer‑facing apps.
What This Means for Your Business
If your Cyber Essentials assessment is started on or after 27 April 2026, these new requirements will apply. For many organisations, this means tightening processes, updating configurations, and reviewing security hygiene.
The good news? You don’t have to do it alone.
At Cirrus MSP, we help businesses stay compliant without the stress. From MFA rollouts to patching strategies and scope planning, our team ensures your certification is smooth and predictable.
Ready to Prepare for the April Update?
Book a quick call with our team and we’ll walk you through exactly what your organisation needs to do next.
Security doesn’t have to be complicated - not when you’ve got Cirrus MSP making IT simple.