Beyond MFA: All the Other Cyber Essentials Changes for April 2026

8 Minute Read

In our previous post, we covered the critical auto-fail conditions coming to Cyber Essentials in April 2026 (mandatory MFA and 14-day patching). But those aren't the only changes.

The NCSC has made significant updates to how Cyber Essentials Plus assessments work, how scope is defined, and several clarifications to the requirements document.

If you're pursuing Cyber Essentials or maintaining certification, here's everything else you need to know.

Major Changes to Cyber Essentials Plus Assessment

Cyber Essentials Plus (CE+) includes a technical audit on top of the self-assessment. From April 2026, the CE+ process is getting stricter to close loopholes some organisations were exploiting.

No More Selective Patching

IASME discovered organisations were gaming the system: when the CE+ audit identified devices needing updates, they'd only patch the specific devices being tested rather than their entire environment. They'd pass the assessment whilst leaving the rest of their systems vulnerable.

From April 2026:

• If you fail the initial random device sample test, you must remediate and retest

• During retest, assessors check both the original sample and a new random sample

• This ensures you've patched everything, not just the devices you knew they'd check

• A second failure results in certificate revocation

The message is clear: you can't selectively patch only the devices under examination. Everything in scope must be compliant.

Your Self-Assessment Is Now Locked

You can no longer adjust your verified self-assessment (VSA) responses based on what the CE+ audit finds.

Your VSA must be completed, finalised, and locked before CE+ testing begins. This prevents organisations from changing answers to match technical audit results.

Get your self-assessment right the first time. You won't get a chance to "correct" it based on what the assessor discovers.

Scope Definition Gets Much More Rigorous

Defining certification scope has always been contentious. The NCSC is tightening requirements significantly.

Unlimited Scope Descriptions

You're no longer limited to brief scope descriptions on certificates. You can now provide detailed scope information viewable via the digital certificate platform.

This transparency helps clients and partners understand exactly what's covered by your certification.

Out-of-Scope Areas Must Be Declared and Justified

You must now describe any infrastructure excluded from scope and explain why. Assessors will scrutinise these exclusions.

You also need to explain how excluded networks are segregated from in-scope systems. "It's in a different office" isn't enough - you need to demonstrate actual network segregation.

Legal Entity Identification Required

You must specify all legal entities included within certification scope, with complete details:

• Entity name

• Registered address

• Company number

This information appears on the digital certificate platform, providing transparency about which organisations are covered.

Individual Certificates Available

If multiple legal entities are covered under one assessment, you can request individual certificates for each entity (small charge applies).

These individual certificates clearly show they're part of a wider certification scope, useful when clients or partners request proof of certification for specific legal entities.

"Point in Time" Finally Clarified

There's been confusion about what "point in time assessment" means. The NCSC has now clarified:

The "point in time" is the date the certificate is issued.

Your systems must be supported and compliant on the certification date, not when you started the assessment weeks or months earlier.

This matters for end-of-life systems: if an operating system reaches end-of-support between assessment start and certificate issue, you'll fail.

Ongoing Compliance Is Now Explicit

The declaration signed by directors/board members now explicitly states your organisation's responsibility to maintain compliance with all Cyber Essentials controls throughout the 12-month certification period.

This isn't new in practice - you were always supposed to maintain compliance, but it's now explicitly stated in the declaration you sign.

Additional Requirements Document Updates

The Requirements for IT Infrastructure v3.3 includes several clarifications:

Cloud Services Clearly Defined: "A cloud service is an on-demand, scalable service, hosted on shared infrastructure, and accessible via the internet."

If your data or services are in the cloud, they must be in scope. Cloud services cannot be excluded from certification scope.

Simpler Scoping Language: "Untrusted" and "user-initiated" have been removed as qualifiers for internet connections. All internet-connected systems are in scope unless you can justify exclusion and demonstrate segregation.

Application Development Emphasis: The "web applications" section has been renamed "application development" and now references the UK Government's Software Security Code of Practice.

Publicly available commercial web applications are in scope by default. Bespoke and custom components remain out of scope.

Backups Repositioned: Backup guidance has been moved earlier in the requirements document to emphasise their importance in recovering from cyber incidents.

Passwordless Authentication Highlighted: The user access control section now highlights passwordless authentication methods (like passkeys) as more secure alternatives to traditional passwords.

What This Means for Your Business

These changes make Cyber Essentials more rigorous, but they also make certification more meaningful.

Businesses with properly implemented security won't struggle with these requirements. Businesses trying to tick boxes without actually securing their systems will find certification much harder.

Timeline and Next Steps

April 26, 2026: New requirements take effect for all assessment accounts created after this date.

Existing assessments: Six-month grace period (until October 2026) to complete certification under old requirements.

How Saturday Cloud Can Help

These changes add complexity to an already detailed certification process. We guide South Wales businesses through every aspect:

Scope Definition:

• Accurately define certification scope

• Document and justify any exclusions

• Identify all legal entities properly

• Explain network segregation where needed

CE+ Preparation:

• Ensure VSA accuracy before locking it

• Verify patch compliance across entire scope

• Prepare for random device sampling

• Document all evidence thoroughly

Ongoing Compliance:

• Maintain compliance throughout 12-month certification period

• Track changes that might affect certification

• Prepare for recertification well in advance

We handle the complexity so you can focus on running your business with the confidence that comes from proper certification.

Need help navigating the April 2026 changes? We're scheduling compliance reviews for all clients and new enquiries ahead of the deadline.

“Republished with Permission from The Technology Press