top of page

Upcoming Changes to the Cyber Essentials Scheme – April 2026 Update

Published by the Cyber Essentials Governing Body

IASME, who oversee Cyber Essentials alongside the National Cyber Security Centre (NCSC), have announced a series of important updates to the Cyber Essentials scheme, coming into effect in April 2026. The changes are designed to keep Cyber Essentials aligned with current technology, with the biggest impacts effecting MFA for cloud services and User Access Controls.


To help organisations digest these updates, Delta’s assessors have put together a clear, easy to understand summary below. We can reassure you that these changes whilst important, are largely minor and aimed at clarifying definitions rather than introducing any major new requirements.

 

Multi-Factor Authentication

The most significant change is to MFA. Previously if a service did not support MFA, or required extra licensing, it would not result in a failure and organisations would still be able to achieve the standard. From April 2026 this will change, and all services that can support MFA must have it enabled.


“where cloud services have MFA available; whether free, included in a cloud service, connected through another service, or a there is a fee paying option, and it is not implemented, this will result in an automatic failure.”


Delta strongly recommends that organisations review this change and take proactive steps to ensure they remain compliant with the Cyber Essentials standard.


Assessors’ note: This change is significant, in the past if the service put MFA behind a “paywall” the applicant was not required to uplift their license to unlock it. From April 2026 IASME will expect MFA to be enabled regardless of cost or complexity. Delta would also recommend strongly reviewing any partnerships with service providers that don’t offer MFA natively in their services, in this day and age it’s a bare minimum.

 

Cloud Services

For the first time, IASME has provided a clear definition of what qualifies as a Cloud Service. This helps remove any ambiguity about which features, services, or tools fall under the standard. Importantly, the updated guidance also makes it clear that Cloud Services cannot be excluded from scope.


According to IASME: “Cloud service – A cloud service is an on-demand, scalable service, hosted on shared infrastructure, and accessible via the internet... accessed via an account.. and will store or process data for your organisation.”

 

User Access Control

The NCSC, and by extension IASME, are putting greater emphasis on multi-factor authentication (MFA) and passwordless authentication. Going forward, expect technologies like Passkeys to play a more prominent role, offering a faster and more secure way to log in.


Passwordless authentication uses something other than a traditional password to verify identity, such as FIDO2 security keys, biometrics, tokens, one-time codes, or push notifications.


Assessor notes: While these changes will be insignificant to many organisations and mostly formalise what’s already emerging in the industry, Delta echoes the NCSC’s guidance: wherever possible, organisations should be moving towards more passwordless methods for stronger security.

 

Preparing for the April 2026 Transition

For most organisations, the April 2026 updates shouldn’t cause major issues. The new definition of Cloud Services may mean that some organisations declare more services than before and mandatory MFA could require additional licensing in certain cases.

Other than that, most changes are about providing clearer definitions and guidance, keeping the standard aligned with current technology trends. As always, Delta’s assessors are on hand to answer questions and provide support throughout the certification process.


Further Information

For more details, visit the IASME Consortium’s official announcement:


 
 
bottom of page