Cyber Essentials 2026: What’s Changing and How to Prepare

Cyber threats continue to evolve, and the UK’s Cyber Essentials scheme is being updated to ensure organisations maintain strong baseline security. The next revision, version 3.3 of the Requirements for IT Infrastructure, comes into effect on 27 April 2026, and will apply to all assessments started after that date. Businesses beginning an assessment before then can continue under the current version, provided they complete it within six months.

For organisations that rely on Cyber Essentials to demonstrate cyber hygiene to customers, insurers and supply‑chain partners, understanding the upcoming changes is essential.

The Key Changes for 2026

Clearer scope for cloud services and devices

The definition of a cloud service is being simplified: any online system that stores or processes your organisation’s data is now firmly in scope. This includes platforms such as Microsoft 365, Google Workspace, CRM tools and cloud storage. Device scoping is also changing. Any internet‑connected device will be included, laptops, desktops, tablets and smartphones. Previous wording around “untrusted networks” has been removed to make this clearer.

Refinements to specific control areas

The previous “Web Applications” section is now titled “Application Development”, aligning with the UK Government’s Software Security Code of Practice. Public‑facing apps will always be in scope; internal‑only tools may not be.

Mandatory MFA across all cloud services

Multi‑factor authentication (MFA) will become compulsory wherever it is available. If a cloud platform offers MFA, even as an optional or paid feature, it must be enabled. Failure to activate MFA will result in an automatic assessment fail. This shift highlights MFA as a minimum expected protection against account compromise.

Backup requirements have been brought forward in the standard to emphasise the importance of recovery and continuity, while user access guidance now promotes modern authentication methods such as passkeys, biometrics and passwordless sign‑in.

Why These Updates Matter

The 2026 changes strengthen core areas that directly impact cyber resilience. SMEs using cloud services will need to verify that all platforms meet the new MFA requirement. Supply‑chain expectations are also likely to tighten, making early preparation beneficial. Clearer scope rules mean assessors will expect better system inventories and documentation, helping prevent delays at certification.

Get Support With Cyber Essentials

Sota’s cyber security specialists can help you review your systems, prepare for the 2026 requirements and guide you through certification or renewal.

If you’d like tailored support or advice, get in touch with Sota’s expert team today

Latest Articles

View all

Blog Cyber Essentials 2026: What’s Changing and How to Prepare

Insight How Microsoft Power Platform and Copilot Transform Business Processes

Insight Transform Collaboration with a Bespoke Microsoft SharePoint Solution

Insight 8 Tech Trends That Will Shape 2026 and How to Stay Ahead

Insight Sota’s Seasonal Security Guide: 12 Cyber Threats of Christmas

Blog Why IT Hardware planning matters

Blog Unlocking AI for Small Businesses: A Strategic Advantage Driven by Employees

Blog How Organisations Can Use Microsoft Teams to Improve Business Communication

Blog What to Expect From a Modern IT Partner: Beyond Break-Fix Support

Blog How To Prepare For Windows 10 End Of Life

Blog Why SotaProtect MDR Is the Cyber Security Upgrade Your Business Needs

Insight Rising Cloud Costs: Trends and Cost-Saving Strategies

Insight Organisational Knowledge with SharePoint

Insight Enhance Productivity with Microsoft Office 365 and Copilot

Insight ISO 27001 How It Boosts Trust for E-commerce Businesses

Blog The Value of IT Procurement Partnerships

Blog Accreditations You Need When Tendering for Business Contracts

Blog 8 Advantages of Colocation for Businesses

Blog Protect Yourself from IVR Scams: Recognise and Stay Safe

Blog What Is the Principle of Least Privilege?

Blog The Hidden Dangers of QR Codes and How to Stay Safe

Blog The Risk of MFA Fatigue Attacks and How to Protect Yourself

Insight Cyber Security Strategies for Modern Businesses

Insight AI Tools in Professional and Personal Life: Benefits and Risks

Insight Choosing the Right IT Support: In-House vs Outsourced

Insight The Essential Guide to IT Auditing for Your Business

Blog Password Management and the Importance of Multi-Factor Authentication

Blog The Importance of 24/7 IT Support: Understanding its Value

Blog Ten Benefits of IT Managed Services for the Financial Service industry

Blog What to Consider When Picking Your VoIP Provider

Blog 5 Advantages of Cyber Essentials Plus Certification

Blog AI Threats: Taking a closer look into Deepfake Attacks

Insight Cyber Essentials and ISO 27001: Reviewing Security Accreditations

Insight Wired and Wireless: The Backbone of Connectivity

Insight The Benefits of Microsoft SharePoint

Insight The growing threat of AI-driven phishing attacks

Insight How to achieve seamless IT installations

Blog How dedicated IT support services make businesses more efficient

Blog Driving your business into the future with Teams and Skype

Blog 6 key benefits of high availability solutions

Blog The business benefits of IT colocation services

Blog The benefits of a 24/7 global service desk for uninterrupted IT support

Blog The surprising benefits of wired internet for businesses

Blog The business benefits of Microsoft 365

Insight 5 project management techniques for successful IT projects

Insight The business benefits of using Private Ethernet

Insight How to safeguard your data with GDPR and ISO 27001 accreditation

Blog The crucial role of data protection in businesses

Blog What are the benefits of hiring IT consulting services?

Blog How your IT department can benefit from third party support

Blog 5 cybersecurity threats to watch out for

Blog What’s the difference between Cyber Essentials and Cyber Essentials Plus?

Blog 5 important business benefits of VoIP

Blog 5 business benefits of fibre connectivity

Blog How the green cloud is making IT more sustainable

Blog How Microsoft keeps cloud data secure

Insight The key benefits of using Microsoft 365

Insight 4 key business benefits of cloud computing

Blog 5 major benefits of IT consultancy services

Blog Cyber Essentials update: what you need to know

Blog 3 common colocation myths busted

Blog What is session hijacking, and how can I protect against it?

Blog How to build a successful colocation strategy

Blog What happens to your data centre in a blackout?

Blog 5 business cyber security tips for Christmas

Blog Why businesses are switching to Microsoft Azure

Insight Migrating to the cloud in 10 simple steps

Insight How to pick a data centre with the Tier Classification System

Insight 5 green computing ideas to revolutionise your organisation

Blog Why Microsoft Teams is the best way to collaborate online

Blog How ISO 27001 can protect your business’s information

Blog How to keep your devices safe from malware

Blog How you can help mitigate third party breaches

Blog How to implement secure file sharing for your business

Blog How to enlist employees to fight cyber threats

Blog How to avoid being infected with spyware and adware

Blog The best video conferencing apps for businesses

Insight What does a Clear Desk Policy involve, and what threats does it help counter?

Insight How to avoid malicious websites & applications

Blog How to protect your home network from online threats

Blog Azure explained: what is it and why do you need it?

Blog 4 simple tips to protect your online privacy

Blog What is a virtual private network (VPN)?

Blog How to make remote working more cyber secure

Blog How to stay safe from cyber crime

Blog What does BYOD mean, and what security risks does it involve?

Blog What’s the difference between information and data?

Blog 5 reasons your business needs unified communications

Insight 4 top tips to pass your Cyber Essentials accreditation

Insight How to fix common laptop problems

Blog What is the UK Data Protection Act, and how does it affect your business?

Blog What is IVR phishing, and how can I avoid it?

Blog Where is data stored, and what is a data breach?

Blog Best practices for email and internet security

Blog How to ensure your cloud computing is legally compliant

Blog What is GDPR, and why does it matter for businesses?

Blog What is PCI DSS and how does it affect you and your organisation?

Blog Social engineering attacks: what they are and how to prevent them

Insight How to handle your organisation’s data and information policy

Insight Why software updates are so important (and how to install them)

Insight How to keep your business safe from ransomware attacks

Blog The best security practices for removable devices and media

Blog What is a denial of service attack, and how can I prevent it?

Blog Why having strong passwords really matters

Blog Why mobile device security matters

Blog How to choose the right IT services provider

Blog How to use social media safely (for individuals and businesses)

Blog How to: safeguard your data

Blog What is: Cyber Essentials Accreditation

Blog The real risk of remote working

Blog Don’t let disaster affect your business

Blog The cyber threat to SME’s