From April 2026, the Cyber Essentials (CE) and Cyber Essentials Plus (CE+) schemes will be strengthened to reflect the realities of today’s threat landscape. These updates are not cosmetic. They introduce tougher assessment standards, clearer scoping rules and more explicit technical expectations, particularly around identity security, patching and resilience against ransomware.
For organisations that already hold certification, this is not about starting again. It is about proving that the controls you rely on are consistently applied, properly maintained and effective in practice. For those preparing for their first assessment, the bar is higher, but the intent is clear: Cyber Essentials must continue to represent a meaningful baseline of cybersecurity hygiene.
Visit our Cyber Essentials service page
Cyber Essentials has always been designed as a baseline scheme, but the threat landscape it was created for no longer exists. Cloud adoption, identity-based attacks and ransomware have shifted the way organisations are compromised. In response, the updated CE and CE+ standards aim to close common gaps that attackers routinely exploit.
The changes focus less on paperwork and more on demonstrable security outcomes. Assessments will be more consistent, moderation will be tighter and technical controls will be scrutinised more closely, particularly in CE+.
Assessments will be more tightly moderated to ensure consistency across certification bodies. This reduces ambiguity and raises confidence that certified organisations are meeting the same standard, not just interpreting requirements differently.
Organisations with multiple legal entities or complex structures will face clearer scoping rules. This removes grey areas around what is and is not covered and ensures critical systems are not excluded from assessment.
Multi-factor authentication will be mandatory across all cloud services, not just email or privileged accounts. This reflects the continued rise of credential-based attacks and the role of cloud platforms in modern breaches.
Critical and high-severity vulnerabilities must now be patched within 14 days. This formalises what many security teams already recognise: long patching windows create unnecessary exposure.
CE+ assessments will include more rigorous testing and tighter rules around retesting. This places greater emphasis on getting controls right the first time and maintaining them consistently.
Secure, tested backups are now a clear area of focus. It is no longer enough to say backups exist. Organisations must show they are protected, recoverable and aligned to ransomware defence.
For most organisations, the updated standards do not require radically new technology. They require better discipline, clearer ownership and stronger evidence that controls are working as intended.
Common preparation challenges include identifying all in-scope cloud services, enforcing MFA consistently, improving patch management processes and validating backup and recovery procedures. These are operational issues as much as technical ones.
Integrity360 supports organisations through every stage of Cyber Essentials and Cyber Essentials Plus preparation. This includes structured gap analysis against the updated requirements, practical remediation guidance and hands-on technical support to resolve issues before assessment.
We work with organisations of all sizes to simplify scoping, strengthen identity and patching controls, validate backups and ensure audit readiness. The goal is not just to achieve certification, but to ensure the controls you put in place genuinely reduce risk.
With the April 2026 changes approaching, early preparation is key. Addressing gaps now avoids last-minute remediation and makes the certification process smoother, faster and more predictable.
If you are planning to renew or pursue Cyber Essentials or Cyber Essentials Plus under the new standards, Integrity360 can help you get there with confidence.