Cyber Essentials 2026 brings big changes for UK businesses. The new rules start on 27 April 2026. I want to help you get ready. This guide covers what's new in CE v3.3 and how to prepare.
The NCSC and IASME run the scheme. They made some big updates. Two-step login is now a must. Cloud services are now in scope. And you have just 14 days to fix security gaps.
What's Changing in Cyber Essentials 2026
The April 2026 changes affect every UK business that wants to certify. Here are the main updates:
- MFA is now mandatory - All admin accounts must use two-step login
- Cloud services in scope - Your online tools now count in the assessment
- 14-day patching rule - You must fix high-risk issues within two weeks
- Clearer cloud guidance - New rules for shared responsibility
- Tighter access controls - Stricter rules on who can do what
See my full breakdown of Cyber Essentials requirements for more detail.
CE v3.2 vs CE v3.3 Comparison
| Requirement | Current (v3.2) | New (v3.3) |
|---|---|---|
| MFA | Recommended for admin accounts | Mandatory for all admin accounts |
| Cloud Services | Limited scope | Fully in scope with shared responsibility |
| Patching Timeline | Within 14 days (critical) | Within 14 days (critical and high-risk) |
| Home Workers | Basic guidance | Clearer requirements for remote devices |
| Admin Accounts | Separate admin accounts recommended | Strict separation and MFA required |
27 April 2026 - CE v3.3 becomes mandatory for all new certifications.
MFA Is Now Mandatory
This is the biggest change. Two-step login (MFA) is now a must for all admin accounts. Before, it was just best practice. Now it's a rule. Read my full guide on MFA for Cyber Essentials to learn more.
Why? Because passwords alone don't work. Hackers steal them. They buy them on the dark web. They guess them. And now AI phishing attacks make it even easier for criminals to trick your staff.
27-34% of UK SMEs currently use MFA - most businesses need to act now.
Two-step login adds a code to your phone or app. Even if hackers get your password, they can't get in. It stops most attacks.
I help businesses set this up. It's not hard. Most cloud tools have it built in. You just need to turn it on. See my guide on user access control for tips.
Tip: Start with your email and admin accounts. These are the ones hackers want most. Then add MFA to everything else.
Cloud Services Now in Scope
The old rules focused on your office kit. Laptops. Servers. Firewalls. But most businesses now use cloud tools too.
From April 2026, your cloud services count. Microsoft 365. Google Workspace. Xero. Slack. If you use it for work, it's in scope.
This means you need to check:
- Who has admin access to your cloud tools
- Is MFA turned on for those accounts
- Are the settings secure (not just the defaults)
- Is data backed up properly
Cloud tools are great. But you still have to secure them. The cloud provider handles some things. You handle others. That's called shared responsibility. And don't forget your supply chain security - your vendors need to be secure too.
Want to compare your options? Read my post on Cyber Essentials vs Cyber Essentials Plus.
The 14-Day Patching Rule
Software has bugs. Hackers find them. Companies fix them with updates called patches.
Under CE v3.3, you have 14 days to apply critical patches. Not months. Not "when you get round to it". Two weeks.
This applies to:
- Operating systems (Windows, macOS)
- Web browsers (Chrome, Edge, Firefox)
- Office software
- Any software facing the internet
Automatic updates help a lot here. Turn them on where you can. For the rest, set a reminder. My guide on security update management explains how.
14 Days - Maximum time to apply critical security patches under CE v3.3.
Timeline: What Happens When
Here's the key dates you need to know:
- Now - April 2026: Prepare for the new rules. Check your MFA. Review cloud access.
- 27 April 2026: CE v3.3 becomes mandatory. All new certs must meet the new rules.
- Your renewal date: If you're already certified, you'll need to meet v3.3 when you renew.
Don't wait until the last minute. Start now. The changes aren't hard, but they take time.
How to Prepare for the Changes
I've helped many businesses get ready. Here's what I tell them:
- Check your MFA: Is it on for all admin accounts? If not, turn it on now.
- List your cloud tools: What do you use? Who has access? Write it down.
- Set up auto-updates: Let your devices patch themselves where possible.
- Review passwords: Use my password generator to make strong ones.
- Take the assessment: Try my Cyber Essentials readiness check to see where you stand.
For a complete overview, read my guide to Cyber Essentials for SMEs.
Tip: Do one thing at a time. MFA first. Then cloud access. Then patching. Small steps add up.
Why These Changes Matter
Cyber attacks are getting worse. Hackers target small businesses because they're easier to hit. The latest UK cyber attack statistics show 43% of businesses faced attacks last year. These new rules help close the gaps.
Cyber Essentials certification shows your clients you take security seriously. It's required for some government contracts. And it can lower your insurance costs.
The April 2026 changes make the scheme stronger. Harder to pass? A bit. But much better protection.
Frequently Asked Questions
The new rules (CE v3.3) take effect on 27 April 2026. All certifications from that date must meet the new requirements. If you're already certified, you'll need to meet v3.3 when you renew.
Yes. From April 2026, all admin accounts must use multi-factor authentication (MFA). This means a second step when you log in, like a code on your phone. It's one of the biggest changes in CE v3.3.
Any cloud service you use for business is in scope. This includes Microsoft 365, Google Workspace, accounting software, CRM systems, and file sharing tools. You need to make sure access is secure and MFA is turned on.
Critical and high-risk patches must be applied within 14 days of release. This includes updates to operating systems, browsers, and any software that faces the internet. Automatic updates are the easiest way to stay compliant.
Your current certificate stays valid until it expires. When you renew, you'll need to meet the new CE v3.3 requirements. If your renewal is after 27 April 2026, start preparing now.
Cyber Essentials is a self-assessment. You answer questions about your security. Cyber Essentials Plus includes a technical check by an assessor. They test your systems to make sure your answers are correct. Both cover the same five controls.
Start by checking MFA is on for all admin accounts. List your cloud services and review who has access. Make sure auto-updates are turned on. Try my free readiness assessment to see where you stand.
Need Help Getting Ready?
I help UK businesses prepare for Cyber Essentials certification. Let's get you sorted before April 2026.
Get Cyber Essentials HelpThe new rules might seem like a lot. But they make sense. MFA stops most attacks. Patching closes holes. Cloud checks cover modern ways of working. If you start now, you'll be ready for Cyber Essentials 2026.
