The National Cyber Security Centre (NCSC) and IASME have announced the newest update for the UK\u2019s top cybersecurity certification \u2013 Cyber Essentials.<\/p>\n
The Cyber Essentials April 2026 update introduces several big changes designed to keep pace with the shifting threat landscape.<\/p>\n
Having a\u00a0Cyber Essentials certification\u00a0demonstrates that your business is among the top IT providers and aligns with cybersecurity best practices.<\/p>\n
With these new updates, to not only become accredited by Cyber Essentials ,but also remain an accredited and certified Cyber Essentials business, you\u2019ll need to adhere to the changes they\u2019re set to make in April.<\/p>\n
In this blog, we\u2019ll break down what these changes are and what you can do as a business to think ahead.<\/p>\n
This rule has been in place for Google Cloud Services since the end of 2025, but now the criteria are becoming even stricter.<\/p>\n
Read more:\u00a0Mandatory MFA for Google Cloud users by the end of 2025<\/a><\/p>\n MFA (Multi-factor authentication) is now non-negotiable for all cloud services.<\/p>\n By April 27th 2026, if a cloud service supports MFA, whether that service is free or subscription-based, you must implement it. If you haven\u2019t, then it will result in an automatic failure from Cyber Essentials.<\/p>\n Over the past few years, there\u2019s been a clear aim to move away from traditional password-based login, and it\u2019s only gotten clearer following Cyber Essentials\u2019 new updates, which place heavy emphasis on passwordless authentication.<\/p>\n The NCSC is now explicitly recommending the use of Passkeys and FIDO2 (Fast Identity Online2), such as Touch ID and Face ID authenticators.<\/p>\n These methods use public-key cryptography (such as biometrics or hardware tokens) to verify identity, making them significantly more resistant to phishing than traditional passwords.<\/p>\n By suggesting passwordless authentication as the standard, the scheme is telling businesses to adopt a more secure approach.<\/p>\n Read more:\u00a0A quick guide to passwordless login<\/a><\/p>\n This means that things like hardware security keys or biometric devices are now an official way to meet Cyber Essentials requirements.<\/p>\n The update tightens the requirements for cloud security by introducing a strict definition of cloud services.<\/p>\n To comply, companies, in a sense, need to perform a full \u201ccloud audit\u201d, similar to what they would do with inventory. This includes any cloud tools that you buy later down the line.<\/p>\n The most important thing to remember is that it\u2019s an automatic fail if you\u2019re found to have any cloud app holding company data that you haven\u2019t informed Cyber Essentials about.<\/p>\n This includes SaaS (software as a service), apps, and storage\/management platforms, as they cannot be excluded from the assessment scope if they handle any sort of organisational data.<\/p>\n All of these updates officially begin on April 27th 2026, so from that point onward, all assessments from Cyber Essentials will be judged against these new updates.<\/p>\n So what can you do to ensure your business is ready?<\/p>\n This update from Cyber Essentials is adapting to the current, rapid changes that businesses are seeing<\/p>\n By making MFA a must, going modern with logins, and closing the gaps in cloud scoping, the NCSC and IASME are ensuring that Cyber Essentials remains a strong way to ensure you\u2019re up to standard with cybersecurity, rather than just a \u201cbadge\u201d on a website.<\/p>\n","protected":false},"excerpt":{"rendered":" The National Cyber Security Centre (NCSC) and IASME have announced the newest update for the UK\u2019s top cybersecurity certification \u2013 Cyber Essentials. The Cyber Essentials April 2026 update introduces several big changes designed to keep pace with the shifting threat landscape. Having a\u00a0Cyber Essentials certification\u00a0demonstrates that your business is among the top IT providers and[\u2026] ReadEmbracing passwordless authentication<\/h2>\n
Cloud services are the new norm<\/h2>\n
How to prepare for the April 2026 update<\/h2>\n
\n
A final thought<\/h2>\n