Cyber Essentials April 2026 marks the most significant change to the scheme’s assessment criteria in recent years. From 27 April, failing to enable multi-factor authentication on any cloud service that supports it is an automatic certification failure. For tens of thousands of UK certified organisations, this is not an incremental update — it is a redefinition of what baseline compliance requires. This analysis covers what changed, why it matters, and what organisations need to act on before the deadline.

Signal Summary

The Cyber Essentials April 2026 update — v3.3, known as the Danzell update — takes effect on 27 April 2026. Assessment accounts created on or after that date must use the new question set and updated marking criteria. The update introduces automatic failure conditions in two areas: MFA not enabled on cloud services where it is available, and high-risk or critical security updates not applied within 14 days of release.

The cloud services definition has been expanded — any service accessed using a business email or account is now in scope, regardless of whether it was included in previous assessments. Cyber Essentials Plus assessment methodology has also been tightened; organisations must be fully compliant before proceeding and cannot amend their verified self-assessment responses after CE+ testing begins. Organisations with assessment accounts created before 26 April 2026 retain a six-month transition period to complete certification under the previous requirements.

Why This Is Structurally Significant

The Cyber Essentials April 2026 Danzell update closes two loopholes that have allowed UK organisations to hold Cyber Essentials certification while remaining materially vulnerable.

The first is scope manipulation. Under previous requirements, organisations could exclude SaaS platforms from their certification scope to avoid the compliance burden. The expanded cloud definition removes this. Any service accessed via a business email address — Microsoft 365, Google Workspace, Xero, Slack, Salesforce, project management tools — is now in scope by definition. Organisations that have been certifying against a narrow, carefully constructed perimeter must reassess their entire cloud footprint.

The second is MFA optionality. Until 27 April 2026, an organisation could pass Cyber Essentials without enforcing MFA on cloud services, provided it met other access control requirements. That option is removed. If a cloud service offers MFA at any price tier — including as a free feature — and the organisation has not enabled it, the assessment returns an automatic failure. No remediation window within the assessment cycle.

Together, these changes mean a certificate issued before 27 April no longer indicates the same level of assurance as one issued after. The baseline has moved.

What Drove This

The Cyber Essentials April 2026 update is a direct response to patterns identified through IASME’s ongoing audit processes and breach investigations. Three failure modes were recurring across assessments.

The first was inconsistent scoping — organisations defining their certification boundary narrowly to exclude cloud services with weaker controls, then claiming compliance based on the residual in-scope environment. The expanded cloud definition directly addresses this.

The second was delayed patching. High-risk and critical security updates were being applied inconsistently, with organisations passing assessments despite gaps that would have left systems exposed beyond NCSC’s recommended 14-day window. Two patching questions are now auto-fail conditions.

The third was partial MFA — organisations with SSO-protected cloud accounts that simultaneously maintained local password access for the same accounts. Security researchers refer to these as ghost logins. Under the new marking criteria, a ghost login on any in-scope cloud service is non-compliant regardless of whether the SSO path is secured.

The NCSC published a Cyber Essentials supply chain playbook in early 2026, signalling that the scheme’s role is expanding beyond individual organisation assurance toward supply chain trust infrastructure. The April 2026 changes are consistent with that trajectory.

Implications for UK Businesses

For organisations currently certified: A Cyber Essentials April 2026 certificate issued before 27 April remains valid for its 12-month term. Organisations renewing after that date will be assessed against the new criteria. Those that have relied on narrow scoping or partial MFA implementation will not pass renewal without remediation.

For organisations seeking certification for the first time: The preparation calculus has changed. Cyber Essentials v3.3 is as much a cloud identity and access management exercise as it is a network hygiene project. Organisations need to build a complete cloud service inventory before starting the questionnaire — not during it.

The shadow SaaS exposure: The expanded cloud scope creates a specific risk for organisations where staff have adopted SaaS tools outside central IT oversight. If those tools are discovered during a CE+ technical assessment without MFA configured, the organisation fails — regardless of how well the formally approved tool stack is secured. The analysis of the shadow AI governance gap in UK businesses covers how this class of unauthorised adoption creates systemic compliance exposure that extends beyond the cybersecurity context.

For organisations auditing their current MFA coverage across cloud accounts, our comparison of best password manager for business UK covers which credential management tools include admin-level MFA enforcement features relevant to Cyber Essentials compliance.

The Commercial Stakes

Cyber Essentials certification is already a prerequisite for UK public sector contracts under Procurement Policy Note 014. Organisations bidding for government work without a valid certificate are excluded before commercial evaluation begins. The April 2026 changes raise the standard required to hold that certificate.

The supply chain dimension carries greater forward pressure. The NCSC’s 2026 supply chain playbook explicitly encourages larger organisations to require Cyber Essentials certification from their suppliers as a minimum security baseline. The UK Cyber Resilience Bill 2026, currently progressing through Parliament, is expected to accelerate this — extending regulatory obligations to managed service providers and increasing supply chain scrutiny across sectors. An SME that fails Cyber Essentials renewal under the new auto-fail criteria faces potential exclusion from its customer base, not a compliance administration problem.

What to Watch Next

The CE+ failure rate: IASME tightened the CE+ process specifically because audits revealed that some organisations applied updates selectively to sampled devices rather than across their full scope. The first wave of Cyber Essentials April 2026 assessments under the new criteria will surface the real compliance gap across UK organisations. Industry data on failure rates post-27 April will be the clearest indicator of how widespread the preparation shortfall is.

The passwordless trajectory: The v3.3 update has revised the user access control section to promote passwordless authentication — FIDO2 keys, passkeys, and biometrics — as the direction of travel. MFA via authenticator app or SMS is now the floor, not the ceiling. The NCSC is signalling that subsequent update cycles will continue in this direction.

Parliament: The Cyber Security and Resilience Bill is at committee stage. If enacted substantially as drafted, obligations equivalent to Cyber Essentials-level standards will extend beyond self-certification into statutory requirements for operators of important services and their supply chains. The April 2026 changes define what that baseline looks like before the legislation arrives.

ObvioTech Assessment

The Cyber Essentials April 2026 MFA auto-fail rule is the correct decision, and it was overdue.

Cyber Essentials certification has operated on the implicit assumption that an organisation meeting the five technical controls is meaningfully more secure than one that does not. That assumption required MFA to be optional. In a cloud-first working environment where credential theft is the primary attack vector for the majority of UK SME breaches, optional MFA is a structural weakness in the standard — not a flexibility feature.

The expanded cloud scope definition similarly closes an accountability gap that had become increasingly difficult to justify. An organisation certifying against a narrowly defined perimeter while operating a materially broader cloud footprint was not providing accurate assurance. The new requirements enforce honest scoping.

The practical challenge for UK SMEs is time. Twenty-seven April is four days away. Organisations that have not already audited their cloud service inventory, confirmed MFA status across every in-scope account, and verified their patching cadence will not complete that work before the deadline. For those organisations, the strategic question is whether to delay the certification cycle until preparation is complete or attempt renewal and fail.

A failed Cyber Essentials assessment is recorded within the IASME ecosystem. For SMEs with public sector or supply chain certification requirements, the cost of a failed renewal exceeds the cost of a delayed one. For tens of thousands of UK certified organisations now operating under the new criteria, the correct response to under-preparation is to complete the audit before submitting — not after.

Sources

IASME Consortium — Changes to Cyber Essentials April 2026: Full Update Details (February 2026)

NCSC — Cyber Essentials Requirements for IT Infrastructure v3.3

IASME — Danzell Question Set and Marking Criteria (2026) — iasme.co.uk

UK Government — Procurement Policy Note 014 — gov.uk

NCSC — Cyber Essentials Supply Chain Playbook — ncsc.gov.uk (2026)