top of page

Cyber Essentials is changing again

  • allanpage
  • 18 minutes ago
  • 3 min read

Here’s what that means for your business.



If you already hold Cyber Essentials Scheme certification, or you’re planning to go for it this year, there’s an important update on the horizon that’s worth understanding now, not at renewal time.

Cyber Essentials doesn’t stand still. And in April 2026, it changes again.


At Somerbys IT, we help businesses across the East Midlands achieve and maintain Cyber Essentials every year. The organisations that struggle most aren’t the ones with “bad IT” - they’re the ones caught out by timing, assumptions, or outdated understanding of what the scheme actually expects.


Let’s break down what’s changing, why it matters, and what you should be thinking about this year.


What’s changing in April 2026?

An official annual update to Cyber Essentials is scheduled for April 2026.

This update will apply to all new Cyber Essentials assessment accounts created after 27 April 2026.

In practical terms:


  • If you renew or start certification before that date, you’ll be assessed against the current question set

  • If you start after, you’ll be assessed against the updated requirements


A refreshed question set is expected to be published ahead of the change, giving organisations time to prepare, but the assessment criteria themselves will be tighter and clearer than before.

Cyber Essentials has never got easier over time. This update follows that same pattern.


What will the updated scheme focus on?


Based on published guidance and direction of travel from recent updates, the 2026 changes are expected to push further on:

🔐 Authentication and access control

Multi-factor authentication (MFA) continues to be a major focus - particularly for:


  • Cloud services

  • Remote access

  • Administrator accounts


If MFA is available and not enabled, that’s increasingly difficult to justify.


☁️ Cloud services and what’s “in scope”

Cloud platforms such as Microsoft 365, email systems, file sharing, and SaaS tools are firmly in scope. The update brings clearer definitions around:


  • What counts as a cloud service

  • Who is responsible for securing it

  • How access and configuration should be managed


“We thought Microsoft handled that” is not an acceptable answer.


💾 Backup and recovery expectations

Backups are gaining stronger emphasis, not just that they exist, but that they:


  • Are protected from unauthorised access

  • Can be restored

  • Align with how your business actually operates


Cyber Essentials is still not about enterprise-level disaster recovery, but resilience expectations are rising.


Why your renewal timing matters

If your Cyber Essentials renewal is due this year, when you renew matters almost as much as how prepared you are.

Renewing earlier means:


  • Fewer moving goalposts

  • Familiar requirements

  • More breathing room to plan improvements properly


Renewing later means:


  • New questions

  • Tighter interpretation

  • Less tolerance for vague answers or assumptions


Neither is “wrong” but going in unprepared is where problems start.


Cyber Essentials Plus: already stricter, and that matters in 2026

Cyber Essentials Plus is not “Cyber Essentials with extra paperwork”.

It’s a technical verification, carried out by an assessor who actively tests your controls.

Recent updates (including the 2025 “Willow” update) have already tightened expectations around:


  • Vulnerability management (not just Windows patching)

  • Authentication methods, including modern and password-less approaches

  • Evidence that controls work in practice, not just on paper


If you’re aiming for Cyber Essentials Plus, you need more than:

“Yes, we keep things updated.”

You need:


  • A joined-up approach to vulnerability management across systems

  • Clear visibility of how users authenticate and access systems

  • Sensible, defensible evidence that reflects reality


How Somerbys IT helps


At Somerbys IT, we don’t treat Cyber Essentials as a box-ticking exercise.

We help you:


  • Understand what actually applies to your business

  • Identify gaps before they become assessment issues

  • Prepare properly - whether you’re renewing now or planning for the 2026 changes

  • Avoid last-minute panic, rework, or failed assessments


Most Cyber Essentials failures are avoidable. They come from assumptions, not attackers.


The bottom line


If you’re renewing this year, now is the right time to:


  • Review your current position

  • Decide whether to move early or prepare for the new requirements

  • Make sure your answers reflect reality, not best intentions


If you’d like a clear view of where you stand and what the 2026 update could mean for you - speak to the Somerbys IT team.


bottom of page