Cyber Essentials 2026 Changes: Cyber Essentials & Cyber Essentials Plus Updates

What Businesses Need to Know (and How to Avoid Failing First Time)

From April 2026, the UK Cyber Essentials scheme is undergoing one of its most significant updates in recent years.

While the five core controls remain unchanged, the way organisations are assessed, particularly for Cyber Essentials Plus, is becoming far more rigorous and reflective of real-world cyber security, with stricter marking criteria and less tolerance for gaps, inconsistencies, or interpretation.

For many businesses, this means what passed last year may not pass in 2026.

If you’re planning certification or renewal, understanding these changes now will help you avoid delays, failed assessments, and unnecessary cost.

What’s Changing in Cyber Essentials?

The April 2026 update is designed to remove ambiguity and strengthen the integrity of the scheme. The focus is no longer just on policies, but on whether controls are consistently applied and demonstrably effective.

Key changes include:

  • A new assessment framework (“Danzell”) with clearer, stricter questioning
  • Greater emphasis on evidencing and demonstrating controls in practice, not just policy or intention
  • Stronger enforcement of Multi-Factor Authentication (MFA), now mandatory for all cloud services where available
  • Stricter enforcement of patching, with automatic failure if critical updates are not applied within 14 days.
  • More detailed scope definition and transparency, including mandatory documentation of what is excluded
  • Requirement to declare all legal entities in scope, including company name, address, and registration number
  • Enhanced certification transparency via a digital certificate platform, with the ability to issue certificates per legal entity
  • Clear definition of cloud services, which must now be included in scope where organisational data is stored or processed
  • Clarification that Cyber Essentials is assessed at a defined “point in time”, the date of certification
  • Updated director-level declaration confirming responsibility for maintaining controls throughout the certification period
  • Recognition of passwordless authentication methods, such as passkeys and hardware tokens

 
While these areas have always been part of the framework, the key difference is that expectations are now more clearly defined and more strictly assessed.

The Introduction of the “Danzell” Assessment Model

One of the most important and often overlooked changes is the introduction of a new assessment structure known as Danzell.

Rather than simply updating questions, this fundamentally changes how organisations are evaluated.

In practice, this means:

  • Questions are more precise and less open to interpretation
  • Answers must reflect actual implementation, not intention
  • Previously accepted responses may no longer be valid

 
For organisations that have historically reused or lightly updated submissions, this will require a more thorough review of their environment before applying.

What’s Changing in Cyber Essentials Plus?

Cyber Essentials Plus (CE+) is seeing even more significant tightening, particularly around validation, consistency and audit integrity.

Key CE+ changes include:

  • Remediation must be applied across the entire environment, not just sampled devices
  • If an organisation fails an initial sampled device, the Assessor will test an additional random device before remediation is permitted
  • If that additional device also fails, the organisation can fail Cyber Essentials Plus immediately, and this may also result in the loss of their existing Cyber Essentials certification
  • Where remediation is permitted, retesting will include both the original sample and a new random sample to validate wider consistency
  • No changes can be made to the verified self-assessment once CE+ testing begins
  • Greater emphasis on real-world validation of controls, not point-in-time fixes

 
This means CE+ is no longer just a technical check, it is a full validation of how consistently controls are applied across the environment.

Why These Cyber Essentials 2026 Changes Matter

Cyber Essentials is no longer just a technical certification, it is increasingly tied to commercial credibility and operational resilience.

Organisations are using it to:

  • Win government and public sector contracts
  • Meet cyber insurance requirements
  • Pass supplier and supply chain security checks
  • Demonstrate compliance with frameworks such as PPN 01/24
  • Build trust with customers and partners

 
The 2026 updates strengthen this position. Certification becomes more meaningful, but also more demanding, making preparation essential.

Where Businesses Are Most Likely to Fall Short

The updated framework doesn’t introduce new controls, but it does expose weaknesses that may previously have gone unnoticed.

Cloud Security & Shared Responsibility

Many organisations assume cloud platforms are secure by default. However, Cyber Essentials now makes it clear that responsibility sits with the organisation for configuration, access control, and user security. Cloud services must now be in scope, which will expose gaps in MFA, permissions, and monitoring.

Patch Management Discipline

Two new auto-fail questions, now explicitly assess whether high-risk or critical updates across operating systems, network devices, and applications are applied within 14 days of release. Failure to meet this requirement results in an automatic fail, with no opportunity to remediate.

Identity & Access Control

There is increased scrutiny on MFA enforcement, privileged access, and legacy authentication. Organisations must demonstrate that controls are consistently applied across all users, devices, and services, not just partially implemented.

Inconsistent Application of Controls

Consistency across the entire environment is now a major failure point, particularly for CE+. Any gaps, even outside sampled devices, can now lead to failure due to expanded testing.

Poor Scope Definition

An unclear or overly narrow scope is no longer acceptable. Organisations must clearly define what is included, justify exclusions, and identify all legal entities in scope. Poor scoping can lead to delays, reassessment, or misleading certification.

When Do the Changes Take Effect?

Timing is important for organisations planning certification:

Before 26 April 2026

  • You can still certify under the current framework (with a 6-month completion window)

 
From 27 April 2026 onwards

  • All new certifications must follow the updated requirements

This creates a short window for organisations to decide whether to certify under the current model or prepare for the new one.

How to Prepare for Cyber Essentials 2026

The most successful organisations will take a structured, proactive approach rather than treating certification as a last-minute exercise.

Preparation should focus on:

  • Reviewing your full asset inventory and environment against the five core controls
  • Auditing all cloud platforms and access configurations
  • Enforcing MFA consistently across all users and systems, particularly for cloud services
  • Ensuring patching processes meet the 14-day requirement across all systems
  • Validating that controls are applied across the full environment, not just selectively
  • Clearly defining and documenting your certification scope, including legal entities and exclusions
  • Preparing thoroughly before any CE+ audit, as changes cannot be made once testing begins

 
Taking these steps early reduces risk, shortens timelines, and significantly improves your chances of passing first time.

Book a Readiness Review

If you’d rather get clarity on your position straight away, a Cyber Essentials Readiness Review can help you understand where you stand before starting the certification process.

It provides a practical way to identify likely issues early, reduce the risk of failure, and plan the most efficient route to certification or renewal.

Book a Cyber Essentials Readiness Review

This will help you to:

  • Identify gaps in your current controls before the assessment begins
  • Understand where you may be at risk under the April 2026 changes
  • Review MFA, patching, cloud security, and scope readiness
  • Clarify whether your environment is suitable for Cyber Essentials or Cyber Essentials Plus
  • Reduce the chance of delays, failed assessments, and repeat costs
  • Build a clear action plan to move towards certification with confidence

 
To find out more click here.

Why Work With Advantex?

Cyber Essentials often looks straightforward on paper, but in reality it spans multiple areas of your business, from cloud platforms and infrastructure through to user access and security policies.

As an integrator, we take a consultative approach, helping you understand how everything fits together. We focus on making Cyber Essentials achievable without disruption, while strengthening your wider cyber security posture.

Final Thought

The April 2026 changes mark a clear shift:

From basic compliance to demonstrable cyber resilience, with stricter assessment standards and far less tolerance for gaps in implementation.

For organisations that prepare early, this is an opportunity to strengthen security, improve credibility, and move through certification efficiently.

For those that don’t, Cyber Essentials may become more complex, time-consuming, and costly than expected.

If you’d like to discuss the 2026 changes or your certification plans, give the Advantex team a call or book a meeting and we’ll help you plan the right route forward.

Address

Advantex Network Solutions Limited
16B Follingsby Close
Gateshead
Tyne and Wear
NE10 8YG

Phone

0345 222 0 666

Contact sales

Log a support case

Careers

See a list of our current vacancies.