1. Home»
  2. Resources »
  3. Why the cyber essentials changes catch organisations out

Cyber Essentials is changing in April 2026. You know it matters. You do not yet know how much work it creates, where the risk sits, or what action you need to take.

Here is the straight answer.

The April 2026 Cyber Essentials changes raise the bar on how clearly and consistently you apply existing controls, especially around Multi Factor Authentication (MFA) and cloud services. For most organisations, this means more preparation, better visibility, and fewer grey areas. The right move now is to identify where gaps exist and put clear ownership around fixing them, rather than leaving it to renewal time.

 

What Cyber Essentials is and why organisations have it

Cyber Essentials is a UK government-backed certification that sets a baseline for protecting organisations against common cyber threats. It focuses on five core technical controls, covering areas like access, patching, malware protection and network security.

For many organisations, Cyber Essentials is not just a security exercise.

  • It is required to bid for public sector contracts.

  • It reassures customers and partners that basic protections are in place.

  • It supports cyber insurance conversations.

  • It gives boards a tangible way to demonstrate risk management.

In short, it provides a recognised minimum standard. Not perfection, but proof that the fundamentals are being taken seriously.

 

What is changing and why it exists

Cyber Essentials is not being rebuilt. The five core controls remain the same. They still focus on the fundamentals most organisations already recognise: controlling access, keeping systems securely configured, protecting against malware, managing updates, and limiting exposure to the internet.

What is changing is how strictly those fundamentals are applied and how much interpretation is allowed.

From April 2026, assessments move to an updated requirements set designed to remove ambiguity, published by IASME, the UK Government’s official Cyber Essentials delivery partner, in collaboration with the National Cyber Security Centre (NCSC).

The scheme now expects those baseline controls to be applied consistently across modern environments, particularly cloud services and user identities, rather than selectively or in theory.

The reason is simple. Cyber risk has shifted. Most incidents today are not caused by exotic attacks, but by weak access controls, misconfigured cloud platforms, and gaps between what organisations think is in place and what actually is. The scheme is being tightened to reflect that reality.

 

THE MOST IMPACTFUL CONFIRMED CHANGES 

The update introduces stricter enforcement in a few key areas:

  • Multi‑factor authentication is mandatory wherever it is available.
    If a cloud service supports MFA and it is not enabled, this will result in an automatic failure. This applies regardless of cost, licence tier, or convenience.
  • Cloud services must be included in scope.
    Any cloud service used to store or process organisational data is now explicitly in scope. This includes platforms such as Microsoft 365, collaboration tools, and line‑of‑business SaaS applications.
  • Scoping and definitions are tighter.
    IASME has reduced tolerance for broad or loosely justified scope exclusions. Assessments now place greater emphasis on clarity, evidence, and segregation where partial scope is claimed.

These changes apply to new assessment accounts created from late April 2026 onwards. Assessments created before that date have a short grace period, but all future renewals will be assessed against the updated standard.

 

Why government changes are shaping this update

Cyber Essentials does not exist in isolation. It is designed to align with wider UK government cyber policy and technical guidance from the NCSC.

In recent years, government focus has shifted toward:

    • Identity security as a primary attack vector
    • Cloud services as critical infrastructure, not optional tooling
    • Reducing preventable incidents across supply chains, particularly those supporting public sector services

Cyber Essentials is relied on as a baseline across both public and private sectors. Tightening enforcement is not about raising the bar arbitrarily, but about ensuring the certification reflects how organisations actually operate today.

This update makes the scheme more credible, not more complex.

 

Why this matters now

For many organisations, Cyber Essentials is non-negotiable. It underpins contracts, supply chain trust, insurance conversations and board confidence.

The risk is not that the controls are unreasonable. The risk is assuming you are already compliant, when in practice controls are applied inconsistently.

This is where people get caught out.

MFA might be enabled for administrators but not for all users. Cloud platforms might be heavily used but poorly documented. Security ownership might be split across IT, finance and operations with no single view.

Under the new rules, those gaps are visible.

 

COMMON MISCONCEPTIONS THAT CAUSE PROBLEMS 

“We already have Cyber Essentials, so this will be minor.”
Often incorrect. Organisations that previously passed with partial MFA, selective cloud scoping, or broad interpretations of access control may now need to demonstrate consistency across all users and services.

“This only affects IT.”
It does not. Cloud services in scope include HR platforms, finance systems, CRM tools, and collaboration software. Ownership of those systems often sits outside IT. Without cross‑functional involvement, gaps are easy to miss.

“We’ll deal with it at renewal.”
This is where organisations lose control. MFA rollouts, cloud service reviews, and access audits take time and coordination. Leaving it until renewal compresses decisions and increases the risk of failure or rushed fixes.

 

 

What good looks like

Well-prepared organisations do three things well.

They know exactly what systems and services are in scope.
They apply identity controls consistently, not selectively.
They can explain their security posture in plain business terms.

Our Field Chief Information Security Officer, Phil Bindley says:

Cyber Essentials v3.3 is not a rewrite, but a tightening - closing loopholes, modernising the standard and raising the baseline.
The outcome is a significantly more reliable indicator of organisational cyber hygiene and materially improved resilience for customers who comply.

This is not about perfection. It is about clarity and control.

 
 

How can organisations reduce the load

This is where many IT leaders feel the squeeze. You are accountable for the outcome, but you do not always control every lever.

Senior security leadership is hard to come by. Board‑level expertise is expensive, highly competitive, and often tied up in long hiring cycles. Even when organisations know they need that level of oversight, building or hiring a full‑time CISO is not always realistic, especially when change is already underway and time is tight.

That gap is why many organisations turn to external, on‑demand security leadership. It provides access to experienced, board‑level expertise without waiting months to recruit or over‑stretching internal teams who are already under pressure.

A virtual CISO brings structure to that problem. Not by doing the work for you, but by setting direction, prioritising risk, and translating requirements into clear actions.

How Intercity’s vCISO service works
    • Discovery and context
      We start by understanding how your organisation actually operates. Your systems, cloud services, data, and who owns what.
    • Baseline assessment
      Your current security posture is assessed against recognised standards, including Cyber Essentials, so you know what is in place and what is not.
    • Clear priorities
      We translate requirements into a focused roadmap. What needs fixing, what can wait, and what actually reduces risk.
    • Ongoing guidance
      Your vCISO stays involved, helping interpret changes from IASME and the NCSC and supporting decisions as things evolve.
    • Leadership visibility
      Clear reporting gives IT leaders and boards confidence that cyber risk is being actively managed, not just certified.

If you'd like to know more on how our vCISO service works, check our Explainer video:

 

How this helps with Cyber Essentials 2026

    • Exposes MFA and cloud gaps early
    • Removes ambiguity around scope and ownership
    • Avoids last‑minute fixes at renewal
    • Makes compliance part of a wider security strategy, not a scramble

What our customers say:

“Working with Phil as our vCISO has been a great experience. He is strategic, knowledgeable and easy to work with. He has helped us strengthen our security posture and align our cybersecurity efforts with business goals. His guidance has been invaluable and working with Intercity gives the board confidence that we are actively addressing a significant business risk.” Anthony Duncan, Head of IT at Greater Birmingham Chamber of Commerce

That confidence matters when standards change.

 

A practical next step

If you want to stay in control of the April 2026 changes, start here.

  • Create a short, honest view of your current state.

  • List your cloud services.

  • Check where MFA is enabled.

  • Identify who owns each control.

If that feels harder than it should, that is your signal. Early, expert guidance reduces last‑minute pressure and makes Cyber Essentials feel manageable again.

Clarity is the goal. Everything else follows.

 
 

Contact us

 

YOU MAY ALSO BE INTERESTED IN:

 

Why certainty is the wrong goal for year‑end IT spend
As April approaches, many organisations face the same tension. There is budget available - but..
View Post
Why the Cyber Essentials changes catch organisations out
Cyber Essentials is changing in April 2026. You know it matters. You do not yet know how much work..
View Post
Intercity named 'large business of the year' in the West Midlands
Intercity has just been named named Large Business of the Year at the West Midlands Business of the..
View Post

View all

close
close
search