Executive Summary
The next round of Cyber Essentials changes is now confirmed. IASME has said that Cyber Essentials: Requirements for IT Infrastructure v3.3 will apply to assessment accounts created from 27 April 2026 onwards.
For UK small and medium sized businesses, this matters for three reasons:
- The version is decided when you create the assessment account. Create it on or after 27 April 2026 and you are assessed against v3.3. Create it before then and you stay on the previous question set and marking.
- You still get up to six months to complete the assessment, and the version stays locked for that assessment account.
- MFA is now a hard pass or fail rule for cloud services. If a cloud service has MFA available (free, included, connected via another service, or paid) and you have not implemented it, you will fail automatically.
The good news is that Cyber Essentials is not being rebuilt from scratch. IASME says the changes in the requirements document are minor and mainly about clearer definitions and consistency.
This article explains:
- What is changing in April 2026 (confirmed only)
- What is staying the same
- A practical readiness checklist for SMEs
- How Get Support can make Cyber Essentials predictable rather than painful
Introduction
Cyber Essentials is a widely recognised UK security baseline. For many SMEs it is tied to customer expectations, tender requirements, and supply chain confidence.
The challenge is that the scheme is updated regularly, and small wording and marking changes can create big surprises at renewal time.
This blog is here to help you stay ahead of the April 2026 update using confirmed information from IASME and the official v3.3 requirements document.
Cyber Essentials in 2 Minutes
The five controls (quick refresher)
Cyber Essentials is built around five technical control areas:
- Firewalls
- Secure configuration
- Security update management (patching)
- User access control
- Malware protection
IASME’s April 2026 update is not replacing these. It is tightening definitions and how some answers are marked.
Cyber Essentials vs Cyber Essentials Plus
Both levels use the same underlying requirements.
- Cyber Essentials is a self-assessment questionnaire, marked by a certification body.
- Cyber Essentials Plus includes the same requirements, plus independent technical checks.
What’s Changing in April 2026 (confirmed only)
1) v3.3 goes live for assessments created from 27 April 2026
What’s changing
IASME has confirmed that the v3.3 requirements apply to assessment accounts created after 27 April 2026.
What it means in practice
- If you create your assessment account before 27 April 2026, you stay on the current version for that assessment (as long as the account remains active).
- If you create it on or after 27 April 2026, you are on v3.3 and the updated question set and marking.
- You still have six months to complete the assessment after creating the account.
Simple planning tip
If you renew around spring, plan your renewal timing deliberately. The account creation date matters more than many people expect.
2) MFA becomes “pass or fail” for cloud services
This is the biggest practical change for most SMEs.
What’s changing
IASME has confirmed a shift in marking: if a cloud service has MFA available and you have not implemented it, that results in an automatic failure. IASME explicitly says this applies whether MFA is free, included, connected through another service, or only available via a paid option.
This rule is discussed in relation to the cloud services MFA questions in the user access control section (often referenced as A7.14 to A7.17 in scheme materials).
What this means in plain English
If your business uses online services like email, file sharing, CRM, finance systems, HR platforms, helpdesk tools, or any other cloud service, you should assume:
- If MFA exists for that service, you must switch it on.
- If you do not, you are very likely to fail the assessment.
What to do first
Start with the services that matter most to attackers:
- Admin accounts
- Remote access tools
- Anything that holds customer data or money
3) Cloud services are now clearly defined, and cannot be excluded from scope
What’s changing
IASME has added a clear definition of a cloud service and makes a direct statement that cloud services cannot be excluded from scope if your organisation’s data or services are hosted there.
What it means in practice
If your business uses cloud services to store or process business data, those services are in scope. You cannot say “we’re excluding that platform” to avoid answering questions about it.
4) Scoping wording is being tightened and clarified
What’s changing
IASME states that the scoping criteria have been updated to remove ambiguous qualifiers around internet connections, making it clearer that relevant internet-connected devices are in scope. IASME also highlights that if you exclude parts of your infrastructure, you will need to explain what is excluded, why, and how it is segregated.
What it means in practice
If your scope is copied from last year, it is worth revisiting it properly. Most Cyber Essentials delays and failures start with scope confusion, not firewalls.
5) The updated question set has a confirmed release date
IASME has confirmed the question set to be used from 27 April 2026 is Cyber Essentials (Danzell), and it will be available from 9 February 2026.
What it means in practice
- You will be able to review the exact wording from 9 February 2026.
- Any internal “answer templates” from previous years may need updating.
6) Cyber Essentials Plus test specification for Danzell is “coming soon”
IASME’s downloads page states the Cyber Essentials Plus Test Specification for Danzell is coming soon.
If you are planning Plus close to April 2026, build in time for the updated test approach once it is published.
What’s Staying the Same
Despite the April 2026 update, a lot will feel familiar:
- The scheme is still built around the same five control areas.
- v3.3 is described as a minor update focused on clarity and consistency, not a total redesign.
- Cyber Essentials is still designed to be achievable for SMEs, provided it is treated as a real process and not a last minute form.
Common fail points are also likely to remain familiar:
- Online accounts without MFA
- Devices or software that are out of support
- Unclear scope, especially around remote work and cloud services
- Evidence that does not match reality
Readiness Checklist for SMEs
Use this as a practical starting point.
| Area | What “good” looks like | Common SME gap | Quick action this week | Longer term action |
| Scope | A clear scope that includes your key systems, users, remote work devices, and cloud services | Scope copied from last year | List your main cloud services and remote access tools, confirm they are included | Keep a simple asset and scope register updated through the year |
| MFA | MFA switched on for every cloud service where it is available | MFA only on some accounts | Turn on MFA for business email for all users | Enforce MFA across all cloud services and admin accounts |
| Patching | Supported software only, regular updates | Old devices or apps still in daily use | Identify any out of support systems and create a plan | Central patching and planned replacement of legacy systems |
| Access control | Right people have the right access, admin access is limited | Too many admins, shared logins | Review who has admin rights and remove obvious extras | Joiners, movers, leavers process plus regular access reviews |
| Protection | Devices have up to date protection and basic security settings | Unmanaged laptops or inconsistent setup | Confirm every device has active protection and updates | Standard builds and central management |
| Evidence | Screenshots and policies are current and match reality | Evidence gathered at the last minute | Capture proof for the controls you already have | Maintain an evidence pack during the year |
How Get Support Owns Cyber Essentials for Clients
Cyber Essentials becomes easier when it is treated like ongoing housekeeping, not a yearly panic.
Our approach:
- Gap review against v3.3 and the IASME scheme updates
- Scope definition that actually reflects how you work today
- Practical remediation plan with clear priorities
- Evidence pack support so you are not scrambling at the end
- Light-touch governance so renewals are smoother every year
If you want a single point of accountability, we can run the end-to-end process.
Conclusion
The Cyber Essentials April 2026 update is important, mainly because of one marking change that will catch businesses out:
- If a cloud service has MFA available and you have not implemented it, you fail automatically for assessments created from 27 April 2026.
The smart move for SMEs is simple:
- List your cloud services
- Switch on MFA wherever it exists (start with email)
- Refresh your scope and evidence before renewal season
If you would rather not manage all this internally, Get Support can take ownership of the process.
FAQs
They apply to assessment accounts created from 27 April 2026 onwards.
The key date is when you create the assessment account, because that locks the version and you then have up to six months to complete it.
For assessments created from 27 April 2026, IASME confirms that where cloud services have MFA available and it is not implemented, this results in an automatic failure.
IASME states Cyber Essentials (Danzell) will be available from 9 February 2026 and used for applications from 27 April 2026.
If your organisation’s data or services are hosted on cloud services, those services must be in scope, and IASME states cloud services cannot be excluded from scope.