This page outlines the annual updates to the Requirements for IT Infrastructure document, which serves as the standard for achieving Cyber Essentials certification. It also contains essential new information about changes to the assessment framework.

While you may have already seen a preview of the updated requirements, the National Cyber Security Centre (NCSC) has now added further adjustments to the certification process, marking scheme, and Cyber Essentials Plus assessment methodology. It is important to understand and implement these changes to ensure compliance.

Effective Date Changes apply to all assessment accounts created after 26 April 2026. Any organisation with an active assessment account created before this date will have 6 months to attain certification using the previous version of the requirements.

Each year, IASME collaborates closely with the NCSC to review feedback from across the scheme, analyse findings from breach investigations, and evaluate insights gained from audits. These inputs form the foundation of the annual review process, which informs updates to scheme requirements, the assessment question set, methodology, and marking criteria.

Changes to the Marking Criteria

One of the most notable updates is the implementation of stricter marking criteria for questions addressing critical practices, such as enabling multi-factor authentication and implementing timely security updates. Failure to meet the required standards in these areas will result in an automatic failure of the assessment.

Multi-Factor Authentication (MFA)

⚠ Auto-Fail MFA is now mandatory for all cloud services where it is available. Organisations that fail to implement MFA for cloud services — whether free, included, or a paid option — will automatically fail the assessment.

This change underscores the critical role of MFA in protecting systems and highlights the importance of adopting strong authentication measures across your entire environment.

Security Update Management New

Two new questions related to security update management have been designated as auto-fail questions:

⚠ Auto-Fail

A6.4  Are all high-risk or critical security updates and vulnerability fixes for operating systems and router and firewall firmware installed within 14 days of release?

A6.5  Are all high-risk or critical security updates and vulnerability fixes for applications (including any associated files and extensions) installed within 14 days of release?

Non-compliance with either question will result in an automatic failure of the assessment, regardless of performance in other areas. This change is intended to address instances where delays in applying critical updates leave systems vulnerable to exploitation.

Improved Scope Definition & Certification Transparency New

Defining and reviewing the scope of an assessment has been a persistent challenge, particularly for larger organisations with complex structures. The following changes will be introduced:

  1. Unlimited scope descriptions: Organisations will no longer be limited to a brief scope description on their certificates. A detailed scope description will be available to view via the digital certificate platform.
  2. Out-of-scope areas: Organisations will be required to describe any areas of their infrastructure excluded from scope. This information will not be made public.
  3. Legal entity identification: Organisations will need to specify all legal entities included within the scope, providing the entity's name, address, and company number. These details can be viewed on the digital certificate platform.
  4. New certificate types: An individual Cyber Essentials certificate can be requested for every legal entity certified as part of a larger scope. It will be clear that the certification forms part of the wider scope. A small charge applies for these additional certificates.

Clarification of 'Point in Time'

Cyber Essentials is a 'point in time' assessment, but there has been confusion about what this term refers to. The scheme will now explicitly state that the 'point in time' is the date the certificate is issued. Organisations will need to ensure that their systems are supported at the date of certification.

Signed Declaration & Ongoing Compliance

The declaration signed by a board member or director as part of the Verified Self-Assessment (VSA) process will be updated to include a statement acknowledging the organisation's responsibility to maintain compliance with all Cyber Essentials controls throughout the certification period. This reinforces the importance of ongoing compliance and ensures organisations remain committed to maintaining robust cyber security measures.

Changes to the Cyber Essentials Plus (CE+) Assessment

The CE+ assessment provides a higher level of assurance by including a technical audit of an organisation's cyber security measures. The April 2026 updates introduce several changes to enhance the CE+ process and align it more closely with the VSA.

Verification of Update Management Compliance New

Recent audits have revealed instances of organisations applying selective updates during CE+ assessments — specifically, applying updates only to the devices included in the sample being tested, rather than across the entire CE+ scope.

⚠ Important Change If an organisation fails the initial test of a random sample of devices, they will be required to remediate the issues and undergo a retest. During the retest, the Assessor will not only recheck the original sample, but will also test a new random sample of devices to ensure compliance across the wider environment. A second failure will result in revocation of the Verified Self-Assessment certificate.

Prohibition of VSA Adjustments Post CE+ Testing New

To maintain the integrity of the certification process, organisations will no longer be allowed to adjust their VSA responses based on the results of CE+ testing. The scheme's Terms and Conditions will be updated to explicitly require that the VSA must be completed, finalised, and remain unchanged prior to the commencement of CE+ testing.

Additional Updates to the Requirements Document

The Requirements for IT Infrastructure v3.3 document includes several updates to improve clarity and guidance.

Cloud Services Definition

A clear definition of cloud services has been added to eliminate ambiguity:

Definition "A cloud service is an on-demand, scalable service, hosted on shared infrastructure, and accessible via the internet. For the purposes of Cyber Essentials, a cloud service will be accessed via an account and will store or process data for your organisation."

Note: If your organisation's data or services are hosted on cloud services, these services must be in scope. Cloud services cannot be excluded from scope.

Improved Scoping Requirements

The terms 'untrusted' and 'user-initiated' have been removed as qualifiers for internet connections, simplifying the scoping criteria. Organisations will also need to justify any exclusions from scope and explain how excluded networks are segregated from in-scope systems.

Application Development

The 'web applications' section has been renamed 'application development' and now references the UK Government's Software Security Code of Practice. Publicly available commercial web applications are in scope by default, while bespoke and custom components are out of scope.

Guidance on Backups

The guidance on backups has been repositioned earlier in the document to emphasise the importance of enabling organisations to recover quickly from cyber incidents.

User Access Control

The user access control section has been updated to highlight the importance of passwordless authentication methods, such as passkeys, which offer a more secure alternative to traditional passwords.

For full details, refer to the updated Cyber Essentials Requirements for IT Infrastructure v3.3, which applies to all applications registered after 26 April 2026.

Information courtesy of IASME Consortium Ltd.

Need help preparing for the April 2026 changes?

Our Detect service identifies gaps in your controls before submission — including MFA coverage and patch compliance — so you avoid automatic fails and costly re-tests.

View Our Services →