Kyanite Blue
Compliance 5 min read

Cyber Essentials 2026 Changes Explained

David, Managing Director·18 March 2026

What Is Cyber Essentials?

Cyber Essentials is the UK Government-backed cybersecurity certification scheme, managed by the NCSC and delivered through IASME. It sets a baseline of five technical controls that organisations must implement to defend against the most common cyber attacks. The scheme has two levels: Cyber Essentials (self-assessment questionnaire) and Cyber Essentials Plus (hands-on technical verification by a certified assessor). Since its launch in 2014, over 130,000 certificates have been issued. It is mandatory for all UK Government suppliers handling sensitive or personal data and is increasingly required in private sector procurement.

What Changed in the 2025/2026 Updates

The NCSC updates Cyber Essentials requirements annually. The major changes for the current cycle include: all cloud services are now fully in scope, meaning SaaS, IaaS, and PaaS configurations must meet the five controls. Multi-factor authentication is now required for all cloud services and remote access — not just recommended. The definition of "devices" has been expanded to include all internet-connected endpoints including tablets, phones, and IoT devices. Thin clients and BYOD devices that access organisational data are explicitly in scope. Home routers used by remote workers must now meet firewall requirements or be behind a VPN.

  • Cloud services (SaaS, IaaS, PaaS) fully in scope
  • MFA mandatory for all cloud services and remote access
  • All internet-connected devices in scope including BYOD and IoT
  • Home routers must meet firewall requirements or use VPN
  • Software must be updated within 14 days of critical patches

Cyber Essentials vs Cyber Essentials Plus

Cyber Essentials basic is a self-assessment questionnaire that costs from around 300 pounds plus VAT for micro-businesses. You answer questions about your security controls and an assessor reviews your responses. Cyber Essentials Plus includes everything in the basic certification plus hands-on technical verification: the assessor will scan your external IP addresses for vulnerabilities, test your email and web defences against malware, and verify your device configurations in person or remotely. Plus costs from around 1,500 pounds and provides significantly higher assurance. Government contracts involving sensitive data typically require Plus.

How to Pass First Time

The most common failure reasons are: unpatched software (particularly on mobile devices and BYOD), missing MFA on cloud services, overly permissive user accounts, and home routers without adequate firewall configuration. Start by auditing every device and cloud service that touches your organisational data. Deploy Coro to ensure all endpoints meet the required configuration standards and enforce MFA. Use Hadrian to scan your external-facing infrastructure for the same vulnerabilities an assessor will find. Address the findings before your assessment window opens, not during it.

cyber essentialscomplianceukcertificationncsc

Related articles

Compliance

NIS2: What UK Businesses Need to Know

The NIS2 Directive brings stricter cybersecurity requirements and penalties up to 2% of global turnover. Even UK businesses trading with the EU must comply. Here is what you need to know.

Compliance

GDPR Fines 2025 Roundup: Lessons for UK Businesses

GDPR enforcement authorities issued over EUR 4.2 billion in fines in 2025, with Meta, TikTok, and Uber among the largest penalties. Here are the lessons for UK businesses.

Guides

Building a Cybersecurity Stack for SMBs: The 5-Layer Approach

Most SMBs either have no security stack or a patchwork of disconnected tools. Here is the 5-layer approach that gives you enterprise-grade protection without enterprise complexity.

Want to discuss this with our team?

Book a free 20-minute call with David or Max.

Book a call
Back to all posts