The Cyber Essentials Scheme will change on 27 April 2026. After this date, new certifications will be assessed according to version 3.3 of the NCSC Requirements for IT Infrastructure and must use the new Danzell Question Set.

New requirements introduced by the Danzell update include tighter MFA (multifactor) rules, more detailed Cloud controls and a tougher verification process for Cyber Essentials Plus.

Last month, we ran a live webinar on how to adapt to these new requirements. You can download the recording here:

Watch: Cyber Essentials – Preparing for changes to the Scheme

 

In this blog post, our experts answer our webinar attendees’ questions about the 2026 Cyber Essentials update.

Questions are ordered thematically. Use the following links to jump to the section(s) you want to read:

 

Certification, failure and reassessment

What happens if we fail Cyber Essentials Plus?

If Cyber Essentials Plus is failed, IASME will revoke the underlying Cyber Essentials certificate. To re‑certify, you must complete Cyber Essentials again and then book a new Plus assessment based on that submission.

If we fail both device samples in Cyber Essentials Plus, will our certificate be cancelled?

Yes. If the second device sample fails, the overall Plus assessment fails and IASME will revoke the Cyber Essentials certificate.

If the same critical vulnerability appears in the second scan, do we get time to fix it?

No. If the same high or critical vulnerability from the first scan is found again in the second scan, the assessment will fail immediately. There is no remediation window for the second sample.

If the second scan finds different vulnerabilities, do we still fail?

No. If new vulnerabilities are found in the second scan but the original ones were fixed, the assessment can still pass. Any new issues would be listed as advisories.

 

Vulnerability scanning and patching

Is the new 14‑day patching rule a hard requirement?

Yes. High-risk and critical patches must be applied within 14 days of release. Missing this deadline now results in an automatic failure of Cyber Essentials.

What if applying a critical patch would break business‑critical software?

In that scenario, the affected system must be isolated from the internet, placed on a restricted subnet and have no inbound or outbound connectivity. This is the only acceptable mitigation.

What if we don’t have vulnerability scanning software?

At a minimum, you must have automated patch management in place to meet the 14‑day requirement. Without vulnerability scanning, it’s unlikely that a clean Plus scan will be achieved.

Can we use our existing vulnerability tools like Qualys during a Cyber Essentials Plus audit?

Yes. If you already use an approved scanning tool, reports may be accepted and the assessor may ask to see the platform live rather than installing a separate scanning agent.

How are dependency vulnerabilities such as OpenSSL issues handled?

If the dependency is required by a fully supported application and cannot be patched directly, it may be excluded. You will need to declare this using the required IASME documentation.

Will assessors compare findings between different scanning tools?

Yes. IASME‑approved tools must be used for Cyber Essentials Plus assessments. Differences between tools cannot currently be reconciled by alternative reports.

 

MFA, SSO and authentication

Is multifactor authentication now mandatory for all Cloud services?

Yes. If MFA is available, it must be enabled. This applies even if MFA or SSO (single sign‑on) is only available on a higher paid licence tier.

Is cost of licensing still a valid reason for not enabling MFA or SSO?

No. Cost is no longer an acceptable reason. If MFA or SSO is available, it must be enabled.

Is single sign‑on mandatory?

No. SSO itself is not mandatory. However, if a Cloud service doesn’t offer MFA but does support SSO with a provider such as Microsoft or Google, SSO must be used.

What if MFA is available but can’t be enforced by policy?

MFA must still be enabled. If enforcement is not possible, organisations must manually check and confirm that all users have enabled MFA.

Is SMS still an acceptable MFA method?

Yes. SMS remains an acceptable form of MFA under Cyber Essentials 2026.

Are on‑prem systems required to use MFA?

Only if the system can be accessed from outside the network. Internal‑only systems do not require MFA.

How should MFA and SSO be evidenced during a Plus assessment?

Assessors prefer to see MFA working in practice. If SSO is used and MFA is not prompted, conditional access policies may be reviewed to confirm enforcement.

 

Cloud services and shadow IT

Are all Cloud services storing business data now in scope?

Yes. Any Cloud service that stores or processes business data is in scope.

How should we handle shadow IT such as marketing using Canva or Mailchimp?

Where possible, services should be managed centrally using SSO. If that’s not possible, regular access and MFA reviews must be carried out on those services.

Are services without MFA still allowed?

Yes, but only if MFA is genuinely unavailable either natively or through SSO. This must be declared in the self‑assessment.

 

<h2 “id=text5”>Devices, BYOD, contractors and VDI

How are BYOD (bring your own device) and contractor‑owned devices treated in 2026?

If a device is used to access business data, it is in scope. This includes devices accessing data via VDI (virtual desktop infrastructure) or virtual machines.

Is web‑only access with MFA enough for contractors?

No. If the endpoint device accesses organisational data, both the device and the VDI or VM environment are considered in scope.

How can BYOD mobile devices be managed securely?

Mobile work profiles can be used to separate work and personal data. This allows policies to be applied to work data without managing the entire device.

 

Scope, boundaries and firewalls

Can a software firewall be used as the network boundary?

Yes, but only for home workers or shared office environments. In controlled office networks, the boundary must be defined using network firewalls or VLANs.

What if we use a serviced or hot‑desk office where we do not control the network?

You can still pass Cyber Essentials Plus if each laptop has an enabled software firewall. In that setup, the device firewall becomes the boundary.

Are social media accounts like LinkedIn in scope?

Yes. Corporate social media accounts are always in scope, even if managed by a third party.

How is partial scope shown on the certificate?

Partial scope is clearly marked on the certificate. There is no longer a character limit on the scope description, allowing greater clarity.

Can subsidiaries or franchises certify independently?

Yes. Separate entities, including those with their own Microsoft tenant, can certify independently without exclusions if they operate separately.

 

Evidence, audits and ongoing compliance

Is Cyber Essentials still a point‑in‑time assessment?

The assessment is still conducted at a point in time, but directors now explicitly declare responsibility for maintaining controls throughout the year.

Will assessors check compliance during the year?

No. There are no interim checks between certifications. Compliance is self‑declared and enforced at renewal.

How often should we review controls internally?

Quarterly reviews are recommended for access, MFA and assets. Patch management should be monitored weekly or daily because of the 14‑day rule.

Has the standard Cyber Essentials questionnaire changed to require evidence uploads?

No. The standard Cyber Essentials assessment remains a text‑only questionnaire. Evidence is only required for Plus.

 

Passwords and passwordless authentication

Are passkeys and FIDO2 acceptable under Cyber Essentials?

Yes. Passwordless methods such as passkeys and FIDO2 are considered compliant forms of multi‑factor authentication.

How should password requirements be answered if we use MFA or passkeys?

Stating that MFA or passwordless authentication is used is a compliant response. Regular password expiry and complex rules are not required.

 

Cyber Essentials Plus assessment mechanics

Has the sample selection or timing changed for Cyber Essentials Plus?

Yes. Details of random device sampling are now provided closer to the assessment start date, typically three days before.

Are internal pre‑scans included in the first vulnerability scan?

IASME is still refining this process. Pre‑scanning may be limited to onboarding devices rather than identifying vulnerabilities.

 

Administration, tools and licensing

Do administrators need separate accounts?

Yes. Admin users must have separate accounts for administrative tasks and daily use. Shared admin accounts are not permitted.

Are extended security updates, such as Windows 10 ESU, acceptable?

Yes. As long as the vendor is still providing security updates, either free or paid, the device remains compliant.

 

General scheme questions

Are there specific changes for AWS, Azure or Google Cloud?

No. Infrastructure and platform Cloud services must still meet the existing Cyber Essentials requirements and may be tested during Cyber Essentials Plus.

Is IASME improving consistency between assessors?

Moderation has increased and guidance is improving. However, different assessors may still interpret responses slightly differently as requirements evolve.

 

Act now to certify to the current Cyber Essentials version

You can still certify to the current Willow version of the scheme if you complete the early steps before 24 April 2026. Your certificate will remain valid for 12 months.

Whether you’re certifying before or after this year’s changes take effect, we have everything you need:

  • We’re one of the founding Cyber Essentials certification bodies and one of the largest in the UK, having issued more than 12,000 certificates to date.
  • Our Cyber Essentials services have received a ‘World-Class’ NPS (Net Promoter Score) of +100.
  • With a large team focused on Cyber Essentials, we offer same-day turnaround on your certificates.
  • We have a 98% customer success rate.
  • We offer everything you need to get Cyber Essentials certification, such as documentation, scanning and assessments.
  • One-to-one support included as standard in all our packages.
  • End-to-end support – we deliver all the technical tests and assessments ourselves, conducted by our experienced technical testers.
  • Tailored solutions – our unique fixed-price bundles provide expert support and compliance tools at affordable rates.
  • Credentials – our consultants are qualified cyber security practitioners.

Get help with your Cyber Essentials application

Cyber Essentials is Changing