Cyber Essentials is Changing But is Your Business Ready?

The UK’s government-backed Cyber Essentials scheme is undergoing a major update to better reflect today’s evolving cyber threats. From 27 April 2026, all new Cyber Essentials and Cyber Essentials Plus assessments will adopt enhanced requirements designed to strengthen baseline cyber security across organisations of every size and sector.

Read Article
Graphic highlighting the 2026 update to the UK Cyber Essentials cyber security requirement

Cameron Lewis l Thursday 12th March

The UK’s government-backed Cyber Essentials scheme is being updated to address today’s cyber threats. Starting 27 April 2026, all new Cyber Essentials and Cyber Essentials Plus assessments will use new requirements to help strengthen basic cyber security for organisations of any size.

The five core controls: firewalls, secure configuration, user access control, malware protection, and patch management, are staying the same, but the way they are assessed will be stricter.

Here are some of the key changes organisations need to be aware of:

Multi-Factor Authentication becomes mandatory
If a cloud service supports MFA, it must be enabled. Failure to implement it where available will result in an automatic assessment failure.

Cloud services are fully in scope
Organisations now need to show that their cloud platforms, SaaS tools, and identity providers are securely set up and well managed. It’s not enough to just rely on the provider’s security.

Stricter patching requirements
Critical and high-risk security updates must be installed within 14 days. This highlights the importance of staying on top of vulnerabilities.

Clearer scoping rules
Any system, device, or service connected to the internet is considered in scope unless you can clearly separate and justify it. This also covers remote workers, BYOD devices, and contractor equipment.

Greater scrutiny in Cyber Essentials Plus
Cyber Essentials Plus assessments will now include more detailed technical checks to ensure the controls listed in your self-assessment are actually in place across your organisation.

The main change for Cyber Essentials Plus occurs during the testing stage. If an organisation fails the initial test on a sampled device, they will be required to ensure any remediation action is applied to all devices within the organisation. During a retest, the assessor will now check a new randomly sampled device in place of any that failed previously. This applies to any devices found to have vulnerabilities deemed non-compliant under Cyber Essentials.  

This change will encourage companies to apply consistent updates across all devices rather than just a sample. It is important to note, that if a second failure occurs during the retest, the Cyber Essentials self-assessment can be revoked and the audit must be conducted again to achieve certification.

These updates don’t completely change the scheme, but they do set higher standards for proof and consistency. It’s no longer enough to just have policies; you need to show that your security controls are working.

If your organisation is planning to get certified or renew in 2026, now is a good time to check your MFA coverage, patching routines, and cloud security controls. This will help you avoid surprises during your assessment.

If you want help getting ready for the upcoming Cyber Essentials changes, our team can guide you through the process and help you stay compliant and secure.

Looking For Cyber Security?

Enquire about our comprehensive Cyber Security Services today.

Talk To UsOur Services

Related posts

Get the latest news and insights on cyber security.

Blog
5
min read

A Look Back on the Year 2025: Progress, Pressure and Prospective

2025 was our busiest year yet, with record demand for Cyber Essentials Plus and ISO27001 audits and steady 10% growth. We expanded our services and supported a major client through a significant security incident, highlighting the importance of calm, experienced guidance. At the same time, capacity challenges, a leadership departure, and personal loss made for an emotionally demanding year and reinforced the value of supporting one another. Looking ahead, we plan to grow the team and strengthen our incident response services for 2026.
Read more
Case Studies
5
min read

3CT Supports Turntide with ISO 27001 Certification

Turntide embedded ISO 27001-aligned security controls into its operations from the outset. As the business scaled, formal documentation became a priority to meet evolving client and regulatory expectations. To accelerate ISO 27001 certification and maintain business momentum, Turntide partnered with 3CT Security, drawing on their expertise to formalise and optimise existing controls.
Read more
Articles
3
min read

Cyber Essentials in 2025: Still Relevant or Time for an Upgrade?

As the UK’s cybersecurity landscape evolves, many organisations are asking: Is Cyber Essentials still enough? Introduced in 2014, the Cyber Essentials scheme has helped thousands of UK businesses establish a baseline of cybersecurity hygiene. However, with new legislation on the horizon, such as the upcoming UK Cyber Security and Resilience Bill and increasing supply chain threats, it's time to reassess its role.
Read more
Articles
3
min read

- Retail and Cyber Risks: What We Can Learn from the Latest Breach

Recent headlines have been dominated by reports of cyber-attacks targeting major retailers, with M&S and Co-op being the latest to face security breaches. These targeted, sophisticated attacks have disrupted operations, compromised customer data, and raised concerns about the retail sector's vulnerability. So what happened...
Read more
Articles
3
min read

Why Do I Need ISO27001?

In today's digital-first world, where data breaches and cyberattacks make headlines almost daily, safeguarding your organisation’s information is no longer optional; it's business critical. For companies, ISO27001 offers a strategic advantage, not just a checkbox exercise. But what exactly is ISO27001, and why should it be at the top of your priority list?
Read more
Articles
3
min read

Achieving Excellence: Our Journey to ISO 9001 and ISO 27001 Certification

At 3CT Security, we are putting our money where our mouth is and are thrilled to announce that we have successfully achieved the ISO 9001 and ISO 27001 certifications with no minor non-conformities. This milestone is a testament to our unwavering commitment to excellence, quality, and security in every aspect of our operations.
Read more
Blog
3
min read

A Review of the Year and Start of 2025

As we approach the end of 2024, it’s great to take a moment to reflect on the journey we’ve taken over the past 12 months. It’s been a year filled with great achievements and challenges that have allowed 3CT Security to continue growing.
Read more
Articles
4
min read

Managing AI Technology in A Way That Makes Your Clients Trust You – Part 3

The explosion of Artificial Intelligence (AI) technology is taking the world by storm. However, there is a lot of apprehension around the amount of data it possesses, the confidentiality of the data and the potential impacts of the data. Here in comes ISO 42001:2023 – Artificial Intelligence Management System. This ISO Standard looks to ensure organisations are appropriately controlling their use or development of AI by taking in the potential “Impacts” the AI technology could have.
Read more
Articles
2
min read

Understanding Cyber Essentials Plus

In a previous article, we explained an overview of Cyber Essentials and how the self-assessment process works. The next step in completing your Cyber Essentials self-assessment is to explore the Cyber Essentials Plus certification. This is the technical verification of your self-assessment and demonstrates that your organisation has correctly implemented the Cyber Essentials controls.
Read more
Articles
3
min read

Managing AI Technology in a Way That Makes Your Clients Trust You-Part 2

In part 2 of this series, we will look to break down how the ISO 42001:2023 has organisations manage the Leadership and Planning sections for the standard.
Read more
Partnership
4
min read

D&D Network Services & 3CT Security: Bolstering Managed Service Providers Security Offerings

Through this partnership with D&D Network Services, we aim to build compliance and resilience without burden for companies with Managed Services, further fortifying our place in the market as a specialist in providing affordable managed cybersecurity services to all businesses in the UK.
Read more
Articles
2
min read

Introduction to Cyber Essentials

Today's business world has evolved to rely heavily on data transfer, making all businesses increasingly vulnerable to cyber threats. Cyber Essentials is a government-backed certification program in the UK designed to help organisations protect themselves from common online threats and improve their overall cyber security posture.
Read more
Articles
3
min read

Managing AI Technology in A Way That Makes Your Clients Trust You – Part 1

The explosion of AI technology is taking the world by storm. However, there is a lot of apprehension around the amount of data it possesses, the confidentiality of the data and the potential impacts of the data. Here in comes ISO 42001:2023 – Artificial Intelligence Management System. This ISO Standard looks to ensure organisations are appropriately controlling their use or development of AI by taking in the potential “Impacts” the AI technology could have.
Read more
Articles
5
min read

Stay Ahead of Cyber Threats: Get Ready for the 2025 Cyber Essentials Updates

The NCSC has announced upcoming updates to the Cyber Essentials certification that could impact how organisations complete the self-assessment process. Although these changes won’t officially take effect until April 2025, we’re sharing the details now to help businesses prepare for any applications starting on or after April 28, 2025.
Read more
Blog
3
min read

What Makes 3CT Security The Preferred Choice for Attaining Cyber Essentials?

In today's competitive market, selecting the right partner for your business’s information security needs is crucial and with multiple consultancies out there, customers have more choice than ever before.
Read more
Blog
2
min read

How to Obtain Cyber Essentials Certification

Have you ever wondered what's involved in the process of obtaining Cyber Essentials Certification? The process is quick and simple and involves three easy steps, which we've detailed in this blog.
Read more
Blog
4
min read

How Cyber Essentials Can Power You To New Growth

As you know, Cyber Essentials is an effective, Government backed scheme that will help you to protect your organisation, against a range of the most common cyber-attacks.
Read more
Case Studies
5
min read

Code Software Achieves ISO 27001 with 3CT Security

"We knew we needed to consult experts in the field to help solve this potential challenge in the most efficient way with minimal impact on the day to day running of the company." Mark Armstrong, CEO | Code Software
Read more
Blog
2
min read

Empowering Tomorrow: The Rise of 3CT Security

Three years ago, Cameron Lewis and Thomas Dold recognised the pressing need for cyber security services and embarked on a journey to establish 3CT Security.
Read more
Partnership
4
min read

3CT Security & Validato Forge Strategic Partnership

3CT Security are excited to announce our strategic partnership with Validato, a leading provider of security control validation technology.
Read more
Blog
5
min read

Understanding Cyber Essentials Certification

Cyber Essentials, a government-backed scheme, provides a framework to help organizations protect themselves against common online threats. But who exactly needs this certification, and who actively uses it? Let’s dive in
Read more
View all