What businesses need to know about the update to Cyber Essentials

An update to Cyber Essentials, the UK government-backed cybersecurity certification scheme, came into place on April 27, but many businesses are still failing to take advantage of the UK government’s basic cybersecurity standards.

According to the government’s latest Cyber Security Breaches Survey, 43% of businesses reported having experienced a breach or attack in the last 12 months. Yet awareness of Cyber Essentials remains low, with just 12% of companies citing they knew about the standards.

It is with this in mind that the government launched a campaign in February, which urged companies to “lock the door” on cybercriminals by engaging with the scheme.

The Cyber Essentials annual update arrives in April each year to tighten up the standards so businesses are robust enough in the face of modern cyber threats. While the five core controls remain the same, experts say the 2026 update is one of the most significant changes to the scheme in years. As it comes into force, what do businesses need to know?

Latest Videos From

Significant changes

April’s update to Cyber Essentials was driven by the need to eliminate ambiguity around some requirements. The Cyber Essentials update focuses on “the actual core attacks”, such as credential theft, cloud account compromise and delayed patching – which are “consistently among the top entry points for attackers”, explains Aaron Bishop, CEO and founder of Novous.

“These are all areas where the previous revision of the requirements left too much room for interpretation,” according to Bishop.

Among the headline changes is a reduction in the patching window that mandates high-risk and critical security updates must be applied within 14 days of release.

For many firms, patching processes that have historically been tolerated as “good enough” will now be out of alignment with the standard, according to Jon Bance, chief operating officer at Leading Resolutions.

Following the update to Cyber Essentials, businesses, especially those with smaller IT teams, will need to be “much more deliberate” about how they track, prioritize and evidence patching activity across endpoints, servers and cloud services, he warns.

Another major update to Cyber Essentials will ensure firms are implementing multi-factor authentication (MFA) as a mandatory control for all cloud services. “If your cloud services offer two-factor authentication (2FA), MFA or single sign on (SSO), you must have it enabled – even if it is via SMS,” says Bishop,

The benefits of Cyber Essentials

In January this year, UK Digital Minister Liz Lloyd said that Cyber Essentials certified organizations are 92% less likely to make a claim on their cyber insurance than those without. Comments such as this show the business case for Cyber Essentials is becoming “more compelling” and difficult to ignore, says Bishop.

The updated Cyber Essentials certification helps reduce the risk of breaches by ensuring that key security measures are in place. In addition, organizations that achieve certification may be eligible for free cyber insurance, offering “an extra layer of financial protection in the event of an incident”, says Harry Mason, head of client services at Mason Infotech.

The scheme is becoming a supply chain prerequisite, with many larger organizations and public sector bodies requiring it from their suppliers and third-party contractors as a condition of contract. “So being certified can open your business to opportunities you otherwise wouldn't have been eligible for,” Bishop says.

It also provides a shared language between boards, technology teams and suppliers, helping conversations move away from “abstract cyber risk” to “practical, measurable controls”, according to Bance. For many, especially smaller firms, it therefore remains “one of the most cost effective ways of raising cyber hygiene”, he says.

Beyond compliance, the guidance provides “a highly practical, actionable security baseline”, agrees Ian Glennon, senior security solutions architect at Qualys. “Systematically applying these controls drastically reduces your attack surface and lowers your overall operational risk profile, which ultimately protects your bottom line.”

How businesses must respond to the Cyber Essentials update

With the update now in place, it’s a good idea to check where your business is on its Cyber Essentials journey. Adoption of Cyber Essentials is widespread, but maturity “varies considerably” across businesses, according to Bance.

Many organizations hold certification yet still operate reactively or informally, particularly around patching, asset visibility and administrative access, says Bance.

The update will expose that gap, he says. With this in mind, firms should avoid treating Cyber Essentials as “a one off annual activity”, Bance advises.

If you’re not doing it already, it is important to link Cyber Essentials into broader cyber or risk management practices. “This makes it easier to adapt with relatively minor changes,” Bance says.

Existing accounts have been given a six month grace period before needing to comply with the April changes. However, there is much to do, says Daryl Flack, partner at Avella Security.

Organizations should start by conducting a thorough audit of their existing Cyber Essentials scope covering all legal entities, in-scope devices, and out-of-scope justifications, according to Flack. He outlines the need to “implement mandatory MFA across every cloud service, whether free, paid or bundled”.

Meanwhile, companies should already have revised scoping declarations with board-level sign-off committing to ongoing compliance, while ensuring point-in-time assessments match certification dates. This should have been completed ahead of the April enforcement deadline, Flack advises.

In addition, with accelerated patching required, firms will need to ensure they’re installing high-risk and critical security updates or vulnerability fixes within 14 days, adds Flack.

When addressing the reduced patching window, the most important step is to review your current processes honestly, says Bance. “Particularly how quickly patches are applied and how evidence is captured.”

At the same time, Glennon points out that a fix does not exclusively mean deploying a vendor patch. “It includes any robust mitigation applied while a patch undergoes internal testing.”

Configuration changes, registry updates, disabling vulnerable services, or deploying specific scripts “all qualify as valid fixes”, he says.

Overall, to cope with the changes, it’s important that Cyber Essentials is treated as an “ongoing control set”, rather than a renewal exercise, according to Bance. “Those who embed it into day to day operations will find the update far less disruptive.”