Back to Blog
Cyber Essentials Plus

Cyber Essentials Plus in 2026: Updated Requirements and Changes

CloudSwitched Team2026-06-29
Cyber Essentials Plus in 2026: Updated Requirements and Changes
Try CE+ Readiness AssessmentDownload Cyber Essentials Plus Preparation Guide

The Cyber Essentials scheme continues to evolve in response to the changing cyber threat landscape. The National Cyber Security Centre (NCSC) and the IASME Consortium regularly update the scheme's technical requirements to ensure they remain effective against current threats. For organisations pursuing or renewing Cyber Essentials Plus certification in 2026, it is essential to understand the latest requirements and how they differ from previous versions.

This guide covers the key changes to the Cyber Essentials Plus scheme, what they mean for your organisation, and how to prepare for certification under the updated requirements.

Key Changes for 2026

The Cyber Essentials scheme has undergone several significant updates in recent years, culminating in the current requirements that apply to all assessments in 2026. Here are the most important changes organisations need to be aware of:

Area Previous Requirement 2026 Requirement
MFA Required for admin accounts on cloud services Required for all users on all cloud and internet-facing services
Password Policy Minimum 8 characters with complexity Minimum 8 characters with MFA; 12 characters without MFA. No forced periodic changes.
Cloud Services Limited scoping guidance All organisational cloud services are in scope with clear shared responsibility guidance
Home/Remote Workers Ambiguous scoping for remote devices All devices accessing organisational data are in scope regardless of location
Thin Clients Not explicitly addressed Specific guidance for thin client and virtual desktop environments
Firmware Updates Focus primarily on software patches Firmware on routers, firewalls, and network devices must also be kept current

MFA for All Users: The Biggest Change

The expansion of the MFA requirement to cover all users — not just administrators — is the most significant change to affect organisations in recent updates. Previously, MFA was required primarily for admin accounts and cloud service administrator portals. Now, every user account that accesses cloud services or internet-facing applications must have MFA enabled.

100%
of cloud service user accounts now require MFA
99.9%
of account compromise attacks blocked by MFA
#1
most common reason for CE+ assessment failure in 2025/2026

This change reflects the reality that attackers increasingly target standard user accounts, not just admin accounts. A compromised standard user account can still provide access to sensitive data, serve as a launching point for lateral movement, and enable ransomware deployment.

Action Required: If your organisation has not yet rolled out MFA to all users, this must be addressed before your CE+ assessment. Microsoft 365 Security Defaults or Conditional Access policies can enforce MFA for all users at no additional licensing cost (for Security Defaults) or with Microsoft 365 Business Premium licences (for Conditional Access).

Updated Password Requirements

The Cyber Essentials scheme has aligned its password guidance with the NCSC's broader recommendations. The key changes are:

  • With MFA: Passwords must be at least 8 characters. The focus is on preventing common passwords rather than enforcing complex character requirements.
  • Without MFA: Where MFA is not technically possible, passwords must be at least 12 characters.
  • No forced periodic changes: The scheme no longer encourages mandatory password rotation (e.g., changing every 90 days). Research shows this leads to weaker passwords. Passwords should only be changed when there is evidence of compromise.
  • Brute-force protection: Account lockout or throttling mechanisms must be in place for all internet-accessible accounts.

Old Approach (No Longer Recommended)

  • Forced password changes every 30–90 days
  • Complex requirements (uppercase, number, symbol)
  • Short passwords with high complexity
  • No MFA requirement for standard users
  • Same rules for all account types

2026 Approach (Current Best Practice)

  • Change passwords only when compromised
  • Block common/breached passwords
  • Longer passwords (8+ with MFA, 12+ without)
  • MFA required for all cloud accounts
  • Different rules based on MFA availability

Cloud Services Scoping Clarification

The updated requirements provide much clearer guidance on how cloud services fit into the CE+ scope. All cloud services that your organisation configures, manages, or is responsible for are now explicitly in scope. This includes:

  • SaaS platforms: Microsoft 365, Google Workspace, Salesforce, accounting software, CRM systems
  • IaaS/PaaS: Azure, AWS, Google Cloud virtual machines and services
  • Cloud-hosted applications: Any web application your organisation uses for business

The shared responsibility model is now explicitly referenced. Your organisation is responsible for how you configure and use the service (user accounts, access controls, data protection), while the cloud provider is responsible for the underlying infrastructure security.

Practical Implication: You cannot exclude a cloud service from scope simply because the provider manages the infrastructure. If your organisation's users access the service and your organisation configures user accounts and permissions, it is in scope. You must demonstrate that MFA is enabled, access controls are properly configured, and admin accounts are separate from standard user accounts.

Remote and Hybrid Working Requirements

The scheme now provides explicit guidance for remote and hybrid working scenarios. Key points include:

  • All devices used to access organisational data are in scope, regardless of physical location
  • Home workers' devices must have a properly configured software firewall
  • Company-owned home routers are in scope; personal routers are not (but the device firewall must compensate)
  • BYOD devices are in scope if they access organisational data
  • Cloud-based device management (MDM) is the recommended approach for managing remote devices

Firmware and Network Device Updates

The 2026 requirements place greater emphasis on keeping firmware up to date on network devices. This includes:

  • Routers: Must run supported firmware with security patches applied
  • Firewalls: Both hardware and software firewalls must be on supported, patched versions
  • Switches: Managed switches must be kept up to date
  • VPN appliances: Critical given the number of VPN-targeted attacks in recent years
  • Wireless access points: Must run supported firmware
14 days
Maximum time to apply critical security patches — applies to firmware as well as software

The 14-Day Patching Rule

The 14-day patching requirement remains a cornerstone of the scheme. All high-risk and critical security patches must be applied within 14 days of release. In 2026, this requirement is applied more broadly:

Operating system patches 14 days
Application patches (browsers, Office, etc.) 14 days
Firmware updates (routers, firewalls, VPN) 14 days
Unsupported software (no patches available) Must be removed

Thin Clients and Virtual Desktop Infrastructure

The 2026 requirements include specific guidance for organisations using thin client devices and virtual desktop infrastructure (VDI). Key requirements include:

  • Thin client devices must run supported firmware/operating systems
  • The virtual desktop environment must meet all five CE+ controls
  • User access controls must be enforced at both the thin client and virtual desktop levels
  • Data stored on the virtual desktop platform must be protected by the platform's security controls

Enhanced Scoping Guidance

The NCSC and IASME have provided clearer scoping guidance for 2026, addressing several areas that previously caused confusion:

Scenario In Scope? Notes
Company laptop used at home Yes All five controls must be applied
Employee's personal phone checking work email Yes If it accesses organisational data
Employee's home broadband router No (if personal) Device firewall must compensate
Company-provided home router Yes Must be securely configured and patched
SaaS application (e.g., Salesforce) Yes Your configuration and user access controls
Internet-connected printer Yes If on the organisational network

What This Means for Your Renewal

If your organisation already holds Cyber Essentials Plus and is due for renewal in 2026, you will be assessed against the current 2026 requirements. This may mean changes are needed even if you passed the previous year's assessment without issues. The most common areas where existing certified organisations need to make changes include:

  1. Extending MFA to all users (not just admins)
  2. Updating password policies to align with new guidance
  3. Including remote devices that may have been previously excluded
  4. Updating firmware on network devices that may have been overlooked
  5. Reviewing cloud service configurations against updated scoping guidance
Renewal Tip: Don't wait until your renewal date to address these changes. Start reviewing your compliance against the 2026 requirements at least 4–6 weeks before your renewal assessment. This gives you time to remediate any gaps without rushing.

Preparing for Your 2026 Assessment

Whether you are certifying for the first time or renewing, here is a practical checklist for the 2026 requirements:

  • Confirm MFA is enabled and enforced for all user accounts on all cloud services
  • Review and update your password policy to align with the latest guidance
  • Verify that all remote and hybrid worker devices are in scope and meet all five controls
  • Check that firmware is up to date on all routers, firewalls, switches, and VPN appliances
  • Ensure all software across your estate is supported and patched within 14 days
  • Remove or isolate any unsupported operating systems or applications
  • Verify that all cloud service admin accounts are separate from standard user accounts
  • Confirm that anti-malware protection is active and up to date on every device
  • Review firewall configurations on both network and device-level firewalls
  • Document your scope clearly, including all cloud services, remote devices, and BYOD arrangements

How Cloudswitched Keeps You Current

At Cloudswitched, we continuously monitor changes to the Cyber Essentials scheme and proactively update our clients' security configurations to meet new requirements. Our managed CE+ service ensures that when requirement changes are announced, your organisation is prepared well in advance of your assessment date.

Our fully managed service includes:

  • Continuous compliance monitoring throughout the year
  • Proactive remediation when scheme requirements change
  • Pre-assessment review against the latest requirements
  • Full renewal management including scheduling and documentation
  • Ongoing support for any questions about the updated requirements

Ready to Get Certified?

Cloudswitched handles your entire Cyber Essentials Plus certification end-to-end — always aligned with the latest 2026 requirements. From gap assessment and remediation to examination and ongoing support.

View CE+ Services
Tags:Cyber Essentials Plus2026 UpdatesRequirements
CloudSwitched
CloudSwitched

Centrally located in London, Shoreditch, we offer a range of IT services and solutions to small/medium sized companies.

Try CE+ Readiness AssessmentDownload Cyber Essentials Plus Preparation GuideAll ToolsAll Resources

Newsletter sign up form - it's quick and easy