This blog was originally published by CloudTech24 Ltd here
What you need to know about the Cyber Essentials April 2026 update
The National Cyber Security Centre (NCSC) and IASME have announced the newest update for the UK’s top cybersecurity certification – Cyber Essentials.
The Cyber Essentials April 2026 update introduces several big changes designed to keep pace with the shifting threat landscape.
Having a Cyber Essentials certification demonstrates that your business is among the top IT providers and aligns with cybersecurity best practices.
With these new updates, to not only become accredited by Cyber Essentials ,but also remain an accredited and certified Cyber Essentials business, you’ll need to adhere to the changes they’re set to make in April.
In this blog, we’ll break down what these changes are and what you can do as a business to think ahead.
Mandatory MFA rule
This rule has been in place for Google Cloud Services since the end of 2025, but now the criteria are becoming even stricter.
Read more: Mandatory MFA for Google Cloud users by the end of 2025
MFA (Multi-factor authentication) is now non-negotiable for all cloud services.
By April 27th 2026, if a cloud service supports MFA, whether that service is free or subscription-based, you must implement it. If you haven’t, then it will result in an automatic failure from Cyber Essentials.
Embracing passwordless authentication
Over the past few years, there’s been a clear aim to move away from traditional password-based login, and it’s only gotten clearer following Cyber Essentials’ new updates, which place heavy emphasis on passwordless authentication.
The NCSC is now explicitly recommending the use of Passkeys and FIDO2 (Fast Identity Online2), such as Touch ID and Face ID authenticators.
These methods use public-key cryptography (such as biometrics or hardware tokens) to verify identity, making them significantly more resistant to phishing than traditional passwords.
By suggesting passwordless authentication as the standard, the scheme is telling businesses to adopt a more secure approach.
Read more: A quick guide to passwordless login
This means that things like hardware security keys or biometric devices are now an official way to meet Cyber Essentials requirements.
Cloud services are the new norm
The update tightens the requirements for cloud security by introducing a strict definition of cloud services.
To comply, companies, in a sense, need to perform a full “cloud audit”, similar to what they would do with inventory. This includes any cloud tools that you buy later down the line.
The most important thing to remember is that it’s an automatic fail if you’re found to have any cloud app holding company data that you haven’t informed Cyber Essentials about.
This includes SaaS (software as a service), apps, and storage/management platforms, as they cannot be excluded from the assessment scope if they handle any sort of organisational data.
How to prepare for the April 2026 update
All of these updates officially begin on April 27th 2026, so from that point onward, all assessments from Cyber Essentials will be judged against these new updates.
So what can you do to ensure your business is ready?
- Update MFA on every cloud service that you use, whether free or subscription-based.
- Ensure every cloud service is fully stated and documented to comply with Cyber Essentials’ new changes.
- Utilise new passwordless login techniques like biometrics and hardware tokens.
A final thought
This update from Cyber Essentials is adapting to the current, rapid changes that businesses are seeing
By making MFA a must, going modern with logins, and closing the gaps in cloud scoping, the NCSC and IASME are ensuring that Cyber Essentials remains a strong way to ensure you’re up to standard with cybersecurity, rather than just a “badge” on a website.
