Cyber Essentials Plus in 2026: Updated Requirements and Changes

The Cyber Essentials scheme continues to evolve in response to the changing cyber threat landscape. The National Cyber Security Centre (NCSC) and the IASME Consortium regularly update the scheme's technical requirements to ensure they remain effective against current threats. For organisations pursuing or renewing Cyber Essentials Plus certification in 2026, it is essential to understand the latest requirements and how they differ from previous versions.

This guide covers the key changes to the Cyber Essentials Plus scheme, what they mean for your organisation, and how to prepare for certification under the updated requirements.

The Cyber Essentials scheme has become the de facto baseline security standard for UK organisations. Backed by the UK Government and administered by IASME on behalf of the NCSC, it provides a clear, independently verified framework that protects against the most common cyber threats. With over 50,000 UK organisations now holding some form of Cyber Essentials certification, the scheme has established itself as the minimum expectation for businesses that handle sensitive data, bid for government contracts, or operate in regulated sectors. The 2026 updates represent the most significant evolution of the requirements in recent years, reflecting the realities of cloud-first IT environments, universal remote working, and an increasingly hostile threat landscape.

Key Changes for 2026

The Cyber Essentials scheme has undergone several significant updates in recent years, culminating in the current requirements that apply to all assessments in 2026. Here are the most important changes organisations need to be aware of:

MFA for All Users: The Biggest Change

The expansion of the MFA requirement to cover all users — not just administrators — is the most significant change to affect organisations in recent updates. Previously, MFA was required primarily for admin accounts and cloud service administrator portals. Now, every user account that accesses cloud services or internet-facing applications must have MFA enabled.

This change reflects the reality that attackers increasingly target standard user accounts, not just admin accounts. A compromised standard user account can still provide access to sensitive data, serve as a launching point for lateral movement, and enable ransomware deployment.

The practical implications of universal MFA are substantial for organisations that have not yet rolled it out to all staff. Every user who accesses Microsoft 365, Google Workspace, Salesforce, cloud-hosted accounting software, or any other internet-facing application must authenticate with a second factor. This includes part-time staff, temporary contractors, and users with limited access. The NCSC recommends using authenticator apps (such as Microsoft Authenticator or Google Authenticator) or hardware security keys as the preferred MFA methods, as SMS-based verification is increasingly vulnerable to SIM-swapping attacks. Organisations with a Microsoft 365 tenant can use Security Defaults to enforce MFA at no additional licensing cost, making this one of the most cost-effective security improvements available.

Updated Password Requirements

The Cyber Essentials scheme has aligned its password guidance with the NCSC's broader recommendations. The key changes are:

• With MFA: Passwords must be at least 8 characters. The focus is on preventing common passwords rather than enforcing complex character requirements.
• Without MFA: Where MFA is not technically possible, passwords must be at least 12 characters.
• No forced periodic changes: The scheme no longer encourages mandatory password rotation (e.g., changing every 90 days). Research shows this leads to weaker passwords. Passwords should only be changed when there is evidence of compromise.
• Brute-force protection: Account lockout or throttling mechanisms must be in place for all internet-accessible accounts.

These changes are significant because they overturn years of conventional wisdom about password management. Many UK organisations still enforce 90-day password rotation policies and complex character requirements, believing these make their systems more secure. In reality, the NCSC has demonstrated convincingly that forced rotation leads to predictable password patterns (such as incrementing a number at the end) and that complexity requirements lead to shorter, harder-to-remember passwords that users write down. The modern approach — longer passwords that are easy to remember, combined with MFA and blocklists of commonly breached passwords — provides substantially better protection with less user friction.

Cloud Services Scoping Clarification

The updated requirements provide much clearer guidance on how cloud services fit into the CE+ scope. All cloud services that your organisation configures, manages, or is responsible for are now explicitly in scope. This includes:

• SaaS platforms: Microsoft 365, Google Workspace, Salesforce, accounting software, CRM systems
• IaaS/PaaS: Azure, AWS, Google Cloud virtual machines and services
• Cloud-hosted applications: Any web application your organisation uses for business

The shared responsibility model is now explicitly referenced. Your organisation is responsible for how you configure and use the service (user accounts, access controls, data protection), while the cloud provider is responsible for the underlying infrastructure security.

Remote and Hybrid Working Requirements

The scheme now provides explicit guidance for remote and hybrid working scenarios. Key points include:

• All devices used to access organisational data are in scope, regardless of physical location
• Home workers' devices must have a properly configured software firewall
• Company-owned home routers are in scope; personal routers are not (but the device firewall must compensate)
• BYOD devices are in scope if they access organisational data
• Cloud-based device management (MDM) is the recommended approach for managing remote devices

The remote working requirements have particular implications for UK organisations, where hybrid working has become the norm following the pandemic. The Office for National Statistics reports that approximately 40% of UK workers now spend at least part of their week working from home. For these organisations, ensuring that every home-working device meets CE+ standards — with up-to-date software, active firewalls, anti-malware protection, and MFA on all cloud services — requires a systematic approach to device management that many smaller organisations have not yet implemented. Microsoft Intune, Jamf (for macOS), and similar MDM platforms provide the tooling needed to enforce security policies remotely and verify compliance from a central console.

Firmware and Network Device Updates

The 2026 requirements place greater emphasis on keeping firmware up to date on network devices. This includes:

• Routers: Must run supported firmware with security patches applied
• Firewalls: Both hardware and software firewalls must be on supported, patched versions
• Switches: Managed switches must be kept up to date
• VPN appliances: Critical given the number of VPN-targeted attacks in recent years
• Wireless access points: Must run supported firmware

This requirement reflects the growing trend of attackers targeting network infrastructure rather than endpoints. High-profile vulnerabilities in VPN appliances from Fortinet, Cisco, and Ivanti have been actively exploited in attacks against UK organisations, with the NCSC issuing multiple alerts about these threats. Many organisations diligently patch their Windows endpoints and cloud services but forget about the firmware running on their routers and firewalls. Under the 2026 requirements, these devices are held to the same 14-day patching standard as everything else in scope.

The 14-Day Patching Rule

The 14-day patching requirement remains a cornerstone of the scheme. All high-risk and critical security patches must be applied within 14 days of release. In 2026, this requirement is applied more broadly:

Thin Clients and Virtual Desktop Infrastructure

The 2026 requirements include specific guidance for organisations using thin client devices and virtual desktop infrastructure (VDI). Key requirements include:

• Thin client devices must run supported firmware/operating systems
• The virtual desktop environment must meet all five CE+ controls
• User access controls must be enforced at both the thin client and virtual desktop levels
• Data stored on the virtual desktop platform must be protected by the platform's security controls

Enhanced Scoping Guidance

The NCSC and IASME have provided clearer scoping guidance for 2026, addressing several areas that previously caused confusion:

CE+ Assessment Failure Rates by Control Area

Understanding where UK organisations most commonly fail their CE+ assessments helps you prioritise your preparation efforts. The following chart shows the failure distribution across the five technical controls based on aggregated assessment data from IASME-accredited certification bodies:

Patch management is the leading cause of CE+ assessment failures, driven primarily by the expanded scope to include firmware updates and the strict 14-day timeline. The user access control category has seen a sharp increase in failure rates since the MFA-for-all-users requirement was introduced, as many organisations had not completed their MFA rollout to standard user accounts. Addressing these two areas should be the highest priority for any organisation preparing for a 2026 assessment.

2026 Compliance Readiness Scorecard

The following scorecard reflects the typical readiness of UK organisations against the updated 2026 requirements before beginning their preparation process. Scores are based on our experience conducting gap assessments across organisations of all sizes and sectors. Areas scoring below 60% typically require the most remediation effort.

What This Means for Your Renewal

If your organisation already holds Cyber Essentials Plus and is due for renewal in 2026, you will be assessed against the current 2026 requirements. This may mean changes are needed even if you passed the previous year's assessment without issues. The most common areas where existing certified organisations need to make changes include:

1. Extending MFA to all users (not just admins)
2. Updating password policies to align with new guidance
3. Including remote devices that may have been previously excluded
4. Updating firmware on network devices that may have been overlooked
5. Reviewing cloud service configurations against updated scoping guidance

Preparing for Your 2026 Assessment

Whether you are certifying for the first time or renewing, here is a practical checklist for the 2026 requirements:

• Confirm MFA is enabled and enforced for all user accounts on all cloud services
• Review and update your password policy to align with the latest guidance
• Verify that all remote and hybrid worker devices are in scope and meet all five controls
• Check that firmware is up to date on all routers, firewalls, switches, and VPN appliances
• Ensure all software across your estate is supported and patched within 14 days
• Remove or isolate any unsupported operating systems or applications
• Verify that all cloud service admin accounts are separate from standard user accounts
• Confirm that anti-malware protection is active and up to date on every device
• Review firewall configurations on both network and device-level firewalls
• Document your scope clearly, including all cloud services, remote devices, and BYOD arrangements

How Cloudswitched Keeps You Current

At Cloudswitched, we continuously monitor changes to the Cyber Essentials scheme and proactively update our clients' security configurations to meet new requirements. Our managed CE+ service ensures that when requirement changes are announced, your organisation is prepared well in advance of your assessment date.

Our fully managed service includes:

• Continuous compliance monitoring throughout the year
• Proactive remediation when scheme requirements change
• Pre-assessment review against the latest requirements
• Full renewal management including scheduling and documentation
• Ongoing support for any questions about the updated requirements

CloudSwitched

London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.