Cyber Essentials Alert: MFA Is Now Mandatory (Or You Auto-Fail)

cybersecuritysolicitors
Written By Tom Briscombe

Pass or Fail?

8 Minute Read or 3 minute scan

If you're working towards Cyber Essentials certification - or maintaining your existing certificate - stop what you're doing and read this.

The NCSC has announced the most significant update to Cyber Essentials in years, and it includes new automatic fail conditions that take effect April 26th, 2026.

Get these wrong, and you'll fail the entire assessment regardless of how well you do everywhere else. No exceptions, no appeals, no "we were going to fix that next month."

The Two Auto-Fail Rules You Cannot Ignore

Rule 1: MFA Is Now Mandatory for All Cloud Services

Multi-Factor Authentication (MFA) is no longer optional. If a cloud service offers MFA - whether it's free, included, or a paid add-on - you must use it.

Fail to implement MFA on any cloud service, and you automatically fail the entire Cyber Essentials assessment.

This includes:

  • Microsoft 365 / Google Workspace

  • Accounting software (Xero, QuickBooks, Sage)

  • CRM systems (Salesforce, HubSpot)

  • Cloud storage (Dropbox, OneDrive, Google Drive)

  • Project management tools (Asana, Monday, Trello)

  • Any other cloud service your business uses

The NCSC's position is clear: MFA is critical protection against credential theft and account compromise. If it's available, you must enable it. Full stop.

What "available" means:

  • Free MFA counts as available

  • MFA included in your current plan counts as available

  • MFA as a paid upgrade counts as available

"We didn't want to pay for the upgrade" is not an acceptable reason. Enable it or fail the assessment.

Rule 2: Critical Updates Must Be Installed Within 14 Days

Two new questions have been designated as automatic fail conditions, both focused on security update management:

Question A6.4: Are all high-risk or critical security updates for operating systems, routers, and firewall firmware installed within 14 days of release?

Question A6.5: Are all high-risk or critical security updates for applications (including files and extensions) installed within 14 days of release?

Answer "no" to either question, and you automatically fail.

This isn't about having a patching policy on paper. It's about proving you actually install critical security updates within 14 days—across your entire scope, not just some devices.

The NCSC introduced this because delayed patching leaves systems vulnerable to known exploits that criminals actively target. Fourteen days is your window. Miss it, and you fail.

Why These Changes Matter

These aren't arbitrary bureaucratic requirements. They're direct responses to how businesses actually get breached:

Compromised credentials (prevented by MFA) account for a massive proportion of successful attacks. When criminals steal passwords through phishing, MFA stops them from accessing your systems.

Unpatched vulnerabilities (addressed by 14-day patching) are how ransomware spreads and how attackers gain initial access. Criminals exploit known vulnerabilities because they know many businesses don't patch quickly.

The NCSC is making these auto-fail conditions because they're the baseline protections that actually prevent real-world attacks.

Timeline: When This Takes Effect

April 26, 2026: All new Cyber Essentials assessment accounts created after this date must comply with these requirements.

Existing assessments: If you have an active assessment account created before April 26th, you have 6 months (until October 2026) to complete certification under the old requirements.

If you're mid-assessment now, you can finish under current rules. But any assessment started after April 26th must meet the new requirements immediately.

The Saturday Cloud Approach

For our clients, we're proactively addressing both requirements:

MFA Implementation:

  • Auditing all cloud services currently in use

  • Enabling and enforcing MFA across every service where it's available

  • Configuring conditional access rules to prevent bypass

  • Documenting implementation dates and methods

14-Day Patching:

  • Establishing formal patch management SLAs by severity level

  • Implementing automated patching where possible

  • Tracking patch compliance across all in-scope devices

  • Maintaining documentation proving compliance

We're scheduling compliance reviews for all clients ahead of the April deadline. If these requirements sound overwhelming or you're not sure where to start, that's exactly what we're here for.

Don't Wait Until April

These aren't small adjustments you can rush through at the last minute. MFA implementation across multiple cloud services takes planning. Establishing and proving 14-day patch compliance takes time.

Start now. The auto-fail conditions don't care about good intentions or "we were going to do that anyway."

At Saturday Cloud, we guide South Wales businesses through Cyber Essentials compliance - from initial gap analysis through certification and ongoing maintenance. We implement the technical controls, establish the processes, and ensure you pass first time.

The new requirements take effect April 26th. Contact us today to ensure you're ready.

Arrange a conversation

“Republished with Permission from The Technology Press

Tom Briscombe
Next

5 Security Layers Most Businesses Are Missing (And Why It Matters in 2026)