The Cyber Essentials (CE) and Cyber Essentials Plus (CE+) schemes are set for an update, with a new question set named Danzell launching on 27 April 2026.
These updates form part of the 2026 IASME scheme revision and are designed to strengthen security requirements, improve clarity for organisations and deliver more consistent assessment outcomes.
More broadly, they reflect a shift in how baseline security is assessed, with greater focus on identity protection, timely patching and clearly defined scope.
MFA is now a baseline requirement
One of the most significant changes is the requirement to use multi-factor authentication across cloud services. Where MFA is available, it must be enabled. If it is not in place, the organisation will fail the assessment.
This reflects current expectations around access control, where relying on passwords alone is no longer considered sufficient. In practice, this means reviewing all cloud services in use and confirming MFA is enforced, including for administrative accounts.
Cloud services
The definition of a cloud service is intentionally wide. Any system delivered over the internet, designed to scale on demand and used to handle business data falls within scope.
This includes SaaS, IaaS and PaaS, as well as commonly used platforms such as email services, identity providers, remote access tools and administrative systems. If staff access it through a business account to store or process data, it is included.
Mandatory patching requirements
Organisations have always been required to apply high-risk and critical updates within 14 days of release. Now, if this timeframe is missed, the result is an automatic failure rather than just a non-compliance.
This applies to operating systems, applications and firmware for network infrastructure such as routers and firewalls. The aim is to reduce the time systems remain exposed to known vulnerabilities.
In practice, this requires clear processes to track updates and confirm they are applied within the required timeframe.
Clearer expectations around scope
There is a stronger focus on how organisations define the scope of their assessment. Descriptions should be detailed and accurate, with no restriction on length.
All legal entities included in the certification must be listed and any exclusions need to be clearly explained. While exclusions are not published, they must be documented so assessors can understand what sits outside the boundary and why.
This is particularly important for organisations with multiple business units or complex environments, where scope is often unclear.
Changes to Cyber Essentials Plus (CE+)
Cyber Essentials Plus assessments will also become more thorough.
Assessors will not only revisit previously non-compliant devices but will also test a new sample to confirm that updates have been applied consistently across the environment.
There is also a change to how the Verified Self-Assessment is handled. Once testing begins, responses cannot be amended, so the results reflect the organisation’s position at the time of assessment.
What this means for your organisation
These updates raise the expected standard across identity security, patching discipline and scope definition. Organisations with established processes are likely to adapt quickly, while others may need to formalise controls that have previously been informal.
Key areas to focus on include:
- Ensuring MFA is enabled across all cloud services
- Applying high or critical updates within 14 days
- Clearly defining scope and listing all legal entities
- Preparing for broader validation during CE+ assessments
How we support you
We have supported organisations with Cyber Essentials for over a decade.
Each client works with a dedicated consultant who manages vulnerability scanning, identifies gaps and supports remediation ahead of certification. Our assessors bring both technical expertise and a strong understanding of compliance requirements.
The process is designed to run alongside your operations without disruption.
If you are preparing for the 2026 update, now is the time to review your approach. Get in touch to discuss how we can support your Cyber Essentials or Cyber Essentials Plus certification.