From 27 April 2026, organisations beginning a new Cyber Essentials or Cyber Essentials Plus assessment will be assessed against an updated version of the standard: Requirements for IT Infrastructure v3.3.
The changes are being introduced by IASME Consortium, the delivery partner of the National Cyber Security Centre. A new 2026 self-assessment question set, known as “Danzell”, will apply to all assessment accounts created on or after that date.
Assessments started before 27 April 2026 will continue under the current version.
Although described as refinements, the update meaningfully strengthens baseline expectations, particularly in identity security, cloud governance, vulnerability management and audit evidence.
You can download the full Cyber Essentials: Requirements for IT Infrastructure v3.3 document directly from the NCSC website here:
What Is Changing Under v3.3?
1: Multi-Factor Authentication Must Be Enabled Wherever Available
If a cloud service or system offers MFA, it must now be enabled using an approved method.
Organisations can no longer leave available MFA switched off. Failure to enable it will result in automatic assessment failure.
This change reflects the continued rise in credential-based attacks and reinforces identity protection as a foundational control.
2: All Cloud Services Are Explicitly in Scope
For the first time, the standard formally defines a cloud service. Any internet-accessible service that stores or processes organisational data must be included in scope.
This includes:
- SaaS platforms
- Microsoft 365 and Google Workspace
- IaaS and PaaS environments
- Line-of-business cloud applications
Even where services are managed by a third party, accountability remains with the organisation seeking certification.
If your organisation accesses it using company credentials, it should be considered in scope.
3: Clearer Device and Network Scoping Requirements
The previous “untrusted network” terminology has been removed.
Instead, any device capable of establishing or accepting an internet connection must be considered.
Organisations must now:
- Clearly document any exclusions
- Explicitly identify legal entities within scope
- Provide more detailed scoping explanations
Without accurate asset inventories and defined network boundaries, assessments may face delays or clarification requests.
4: 14-Day Deadline for High and Critical Security Updates
Under v3.3, high-risk and critical patches must be applied within 14 days of release.
This applies to:
- Operating systems
- Applications
- Firewalls
- Routers and network devices
Failure to meet this timeframe will result in assessment failure.
Patch management must therefore be consistent, monitored and demonstrably effective across the full estate.
5: Backup and Recovery Elevated in Importance
While not one of the five core technical controls, backup guidance has been repositioned to emphasise resilience.
Organisations are expected to clearly document backup frequency, retention, separation and restoration testing procedures.
6: Application Development” Replaces “Web Applications
The updated terminology aligns with the UK Government’s Software Security Code of Practice and reinforces secure-by-design principles across the development lifecycle.
This is particularly relevant for organisations building internal or customer-facing applications.
7: Recognition of Passwordless Authentication
The new requirements formally recognise passwordless authentication methods, including:
- FIDO2 authenticators
- Passkeys
- Biometrics
- Hardware tokens
Remediation must now be estate-wide, not limited to the originally sampled devices.
How This May Effect Your Organisation
The April 2026 update raises expectations across four key areas:
Identity Security – MFA must be universally enforced wherever available.
Cloud Governance – All cloud services are unquestionably in scope.
Patch Discipline – 14-day updates require structured and reliable processes.
Documentation & Evidence – Clear scoping and auditable processes are essential.
Organisations that prepare early are far more likely to experience a smooth certification process.
“The 2026 update is about clarity and consistency. Cyber Essentials has always focused on protecting organisations from the most common attacks, and these changes ensure the standard keeps pace with how businesses operate today. The important step now is preparation. Understanding what has changed and reviewing your environment early will make the transition straightforward.”
Our Role as an IASME Certification Body
As an accredited Cyber Essentials Certification Body, we work directly with organisations across a wide range of sectors to assess, guide and certify against the standard.
Our focus is not simply on assessment submission, but on ensuring organisations clearly understand:
- What is genuinely in scope
- How to interpret the updated requirements
- Where gaps exist before submission
- How to approach remediation effectively
The 2026 update represents a tightening of the baseline, but with structured preparation, certification remains entirely achievable.
How We Support Our Customers
We provide end-to-end support across both Cyber Essentials and Cyber Essentials Plus, including:
- Pre-assessment readiness reviews
- Scope clarification and documentation guidance
- MFA and cloud governance advisory
- Vulnerability management and remediation validation
- Clear interpretation of the new Danzell question set
Our approach is practical, transparent and aligned directly to the official standard, ensuring there are no surprises during assessment.
Preparing for April 2026
If your renewal or first certification will fall after 27 April 2026, now is the right time to review your readiness under v3.3.
Early gap analysis will significantly reduce the risk of remediation delays and assessment failure.
If you would like a structured review of your environment against the updated requirements, or a side-by-side comparison of how the Danzell question set differs from the current version, please get in touch with our expert team today.
Ready to achieve your security goals? We’re at your service.
expertise to help you shape and deliver your security strategy.
About the author
