Cyber Essentials certification remains one of the most effective and affordable ways for UK businesses to strengthen their cyber security in 2026. The scheme is government-backed, developed by the NCSC (National Cyber Security Centre) and delivered through IASME, and it is increasingly required in tenders, insurance policies and supply chain contracts.

This year brings new requirements: from 27 April 2026, a new Question Set, known as Danzell, applies to all certifications. Organisations must also confirm they have read version 3.3 of the NCSC Requirements for IT infrastructure document as part of their application.

In this blog post, we explain what has changed, outline the two certification levels and provide a step-by-step process to help you get Cyber Essentials certified in 2026.

What is Cyber Essentials?

Cyber Essentials is a UK government-backed scheme that helps organisations protect themselves against common cyber attacks. By implementing five basic technical controls, organisations can prevent up to 80% of the most common threats.

Certification shows customers, partners and regulators that you take security seriously and helps you meet contract and insurance requirements.

There are two levels of certification:

  • Cyber Essentials – a self-assessment covering the five controls.
  • Cyber Essentials Plus – an externally audited version that verifies your implementation. You must achieve Cyber Essentials before progressing to Plus.

The five Cyber Essentials controls

Certification focuses on five technical controls. These remain unchanged in 2026, but their application is more rigorously interrogated under the Danzell Question Set.

  • Firewalls and routers
    Secure configuration of network devices, blocking unauthorised access and changing default passwords.
  • Software updates
    Keeping systems patched within 14 days of critical or high-risk vulnerabilities being disclosed.
  • Malware protection
    Using anti-malware software, application allow-listing or sandboxing to prevent harmful code from executing.
  • Access control
    Managing user accounts, enforcing unique credentials and mandating MFA (multi-factor authentication), particularly for Cloud services and administrative access.
  • Secure configuration
    Removing unnecessary accounts and software, disabling insecure defaults, and locking unattended devices.

What has changed in 2026

The April 2026 update introduces several important changes to the certification process, including:

  • New Question Set (Danzell) – All applications must now use the Danzell Question Set, which builds on Willow with more precise requirements and greater emphasis on real-world implementation.
  • Clearer scoping – The scoping requirements have been updated to clarify that all specified devices connected to the Internet are in scope. Partial scoping is still allowed, but where networks are excluded from scope, you “need to justify the reason for a partial scope to your assessor”.
  • Cloud services are in scope – Cloud services are defined for the first time and are explicitly in scope for Cyber Essentials certifications. This closes a common gap, which caused SaaS (software as a service) platforms to be overlooked.
  • Web applications – The web application section has been renamed “Application development” and now refers to the government’s new Software Security Code of Practice.
  • Stronger MFA enforcement – MFA is no longer simply expected but strictly required across Cloud services and for privileged access. Partial or inconsistent implementation is likely to result in failure.
  • Backups – V3.3 explicitly recommends appropriate backups and describes sensible precautions, such as keeping copies off the primary device and disconnecting removable media when it is not in use.
  • User access control – This section now places greater emphasis on MFA and passwordless authentication, such as FIDO2 authenticators, biometrics, security keys or tokens, one-time codes, QR codes and push notifications.

These changes mean organisations must take a more comprehensive and accurate approach. If you have certified before you cannot simply resubmit last year’s answers – you must review your scope, reassess your controls and check compliance against Danzell.

Learn more about the 2026 update

Cyber Essentials vs Cyber Essentials Plus

Both certifications demonstrate commitment to cyber security, but they differ in scope and assurance:

  • Cyber Essentials is assessed via a self-assessment questionnaire. It’s quick and cost-effective, and certification can typically be achieved in a few days if controls are in place.
  • Cyber Essentials Plus is assessed via an independent audit. It includes vulnerability scans and hands-on testing to confirm that your systems meet the standard. This provides greater assurance to customers and insurers.

Organisations often start with Cyber Essentials and progress to Plus once they have confidence in their controls. For higher-risk sectors (finance, healthcare, defence, government supply chains), Cyber Essentials Plus is often expected.

Step-by-step guide to Cyber Essentials certification in 2026

To help you prepare, here is a clear process for getting certified:

  1. Download and read the requirements
    Access the Requirements for IT Infrastructure and confirm your team understands the 2026 updates. This document is mandatory reading before you begin.
  2. Define your scope
    Clearly identify which parts of your IT infrastructure are in scope. This must now include all relevant Cloud services, user devices and systems accessing organisational data. Poor scoping remains one of the most common reasons applications fail.
  3. Review your controls
    Map your systems against the five technical controls. Ensure all devices are patched, MFA is fully enforced (especially for Cloud and admin access), default settings are secured and anti-malware defences are effective.
  4. Complete the SAQ (self-assessment questionnaire)
    Answer the Danzell Question Set honestly and in detail. The SAQ acts as a compliance statement and must be signed by a board member or equivalent.
  5. Submit your application – Send your SAQ to an IASME-accredited certification body such as IT Governance. An assessor will review your answers and either issue a pass or request clarification.
  6. Achieve Cyber Essentials certification
    If successful, you will receive your Cyber Essentials certificate and, if eligible, free cyber insurance of up to £25,000.
  7. Progress to Cyber Essentials Plus (optional)
    Book an external audit to achieve Cyber Essentials Plus certification. This involves vulnerability scans and a technical review to verify your controls in practice.

Common pitfalls to avoid

Many organisations fail their first attempt because of avoidable mistakes. The most common pitfalls include:

  • Weak scoping – Failing to include all Cloud services, remote devices or third-party platforms that are in scope.
  • MFA gaps – Not enforcing MFA consistently across all Cloud accounts and privileged users.
  • Outdated software – Using unsupported operating systems or unpatched applications.
  • Default settings – Retaining factory default passwords or failing to lock down administrative access.
  • Incomplete evidence – Providing vague or general answers in the SAQ without demonstrating how controls are implemented.

Address these issues early to avoid delays and retests.

Why Cyber Essentials matters in 2026

Cyber Essentials is more than a checklist. For small to medium-sized organisations in particular, it provides:

  • Protection against common attacks – Preventing the majority of commodity malware and phishing-driven intrusions.
  • Customer trust – Demonstrating due diligence to clients, partners and insurers.
  • Market access – Meeting the security requirements of government contracts and supply chain frameworks.
  • Cost-effective assurance – Achievable at a fraction of the cost of ISO 27001 or other frameworks.

With cyber insurance premiums continuing to rise and regulators placing greater scrutiny on supply chain resilience, Cyber Essentials certification is an increasingly valuable badge of assurance in 2026.

Cyber Essentials 2026 checklist

To recap, here is a practical Cyber Essentials checklist for 2026:

  • Read the Requirements for IT Infrastructure and understand Danzell.
  • Define a clear and complete scope, including all Cloud services.
  • Verify implementation of all five controls.
  • Enforce MFA across all Cloud services and privileged accounts.
  • Remove unsupported or unpatched software.
  • Secure default settings and administrative access.
  • Complete and submit the SAQ.
  • Progress to Plus by arranging an external audit.

Cyber Essentials has changed. Pass first time with IT Governance

As one of the founding Cyber Essentials certification bodies, IT Governance has issued more than 9,000 certificates. Our services range from simple self-certification packages to fully managed consultancy programmes.

Whether you want to self-certify or achieve Cyber Essentials Plus certification, we have the experience, tools and services to help you succeed.

Explore our Cyber Essentials certification services