From 27 April 2026, the Cyber Essentials scheme will introduce stricter assessment requirements. If your organisation is planning for certification, now is the time to act — completing your assessment before the deadline allows you to certify under the current framework, which is simpler and less demanding. Your certificate will remain valid for 12 months.

What’s Changing in 2026?

The new requirements, effective from 27 April, are based on version v3.3 of the NCSC Requirements for IT Infrastructure and use the new Danzell Question Set, replacing the previous Willow version. While most changes are minor, there are some key updates businesses need to understand:

Mandatory Multi-Factor Authentication (MFA)

MFA is now mandatory for all cloud services. If a cloud service supports MFA and it is not implemented, the assessment will automatically fail. This applies regardless of whether MFA is free, bundled, or requires a paid feature.

Cloud Services Are Now In Scope

Cloud services are explicitly defined and must be included in your Cyber Essentials scope. Any service accessed via credentials or email that stores or processes your organisation’s data is in scope and cannot be excluded.

Updated Scoping Criteria

All devices connected to the internet are now explicitly in scope. If networks or devices are excluded, you must justify this to your assessor. The “Web Application” section has been renamed “Application Development” and now aligns with the government’s Software Security Code of Practice.

Enhanced User Access Controls

The v3.3 requirements place greater emphasis on MFA and passwordless authentication methods such as:

• FIDO2 authenticators
• Biometrics
• Security keys or tokens
• One-time codes, QR codes, and push notifications

Backups

Backups remain outside the five technical controls but are explicitly recommended. Guidance includes keeping copies off primary devices and disconnecting removable media when not in use.

Why Certify Before the Deadline?

Completing certification before 27 April allows your business to benefit from the current, less demanding framework. After the deadline, assessments must meet the new v3.3 standard, which includes stricter MFA and cloud service requirements. Early certification reduces pressure and ensures continuity in compliance.

How Knowall IT Can Help

At Knowall IT, we specialise in guiding UK businesses through Cyber Essentials and Cyber Essentials Plus certification. Our consultancy ensures a smooth, fast, and fully supported process. Benefits of working with us include:

• One-to-one expert support throughout your assessment
• End-to-end handling of technical tests and documentation
• Fixed-price packages tailored to your business
• Rapid turnaround — we can help you achieve certification within 24 hours once assessments are complete
• Expert advice on implementing MFA, cloud service compliance, and scope planning

Next Steps

If you haven’t yet scheduled your Cyber Essentials assessment for 2026, now is the time. Our team at Knowall IT can:

• Review your current IT infrastructure against the new v3.3 requirements
• Guide you through the Danzell Question Set
• Provide advice on MFA, cloud services, backups, and user access control
• Ensure your organisation is fully prepared before the 27 April deadline

Don’t wait until the new standards take effect. Click here to secure your Cyber Essentials certification and stay ahead of the 2026 changes.