If there’s one thing I’ve learned from supporting organisations of all sizes, it’s that cyber security never sits still. Threats evolve, technology shifts, and the standards that protect us have to keep pace.
This month’s update to Cyber Essentials is one of the biggest revisions we’ve seen in recent years. Below is a practical breakdown of the changes and what they mean for your business.
1. Scope and Device Requirements Are Tightening
Cyber Essentials is becoming much clearer—and stricter—on what must be included in scope.
Key Changes
- Cloud services cannot be excluded, including social media accounts used for business (LinkedIn, Facebook, X).
- Home and remote worker devices remain fully in scope, with stronger expectations around all firewalls.
- Thin clients (low cost physical machines) must run supported, updatable operating systems.
If you rely on a mixture of personal devices, unmanaged applications or loosely controlled cloud accounts, you will need stronger visibility and documentation. Older thin clients or unsupported operating systems are likely to become non compliant.
2. Stricter Firewall & Network Segmentation Requirements
This is one area where many organisations will need to make changes.
What’s New
- Sub sets can only be created using a physical firewall or VLAN — Sub-sets are part of your networks that have been separated to allow security management by isolating departments, and now software-based segmentation or security groups no longer meet the requirement.
- Partial scopes must list all equipment used to create segmentation. Segmentation is a separation of systems, networks, so access between them is restricted to stop security incidents in one area spreading to another.
- Admin access to firewalls must be secured using MFA (Multi Factor Authentication) or IP allow lists, and should never be internet-accessible without a documented, board-approved business case.
If your network relies on virtual segmentation alone, you will need to revisit that design. Cyber Essentials is moving firmly toward physical or VLAN-based separation for anything outside whole organisation certification.
3. Much Tougher OS & Software Support Rules
Cyber Essentials has always required supported operating systems—but the 2026 update strengthens this dramatically.
Headline Changes
- Firmware is now formally classed as an operating system, meaning firewalls and routers must receive updates.
- Windows 10 is only compliant with an Extended Security Update (ESU) subscription after October 2025.
- You must list versions of:
- Browsers
- Malware protection
- Email applications
- Office applications
This update removes any remaining ambiguity. If software or firmware is unsupported—or isn’t receiving security patches—it will automatically cause failure. If you still have older hardware or operating systems, this is your window to upgrade before they become compliance blockers.
4. Update Management: Zero Flexibility
This rule has been strict for years, but April 2026 makes it even clearer.
You must install all high risk or critical updates from release being issued by software and hardware vendors. Always.
This includes:
- Operating systems
- Applications
- Firmware on firewalls and routers
Optional features aren’t required, but all vulnerability fixes are. If auto updates aren’t possible, you will need a documented and reliable manual process.
If you lack a structured patching approach today, this update makes it essential.
5. Stronger User Access & Administrative Controls
Cyber Essentials is doubling down on proper account governance.
Key Requirements
- Formal processes must exist for creating, approving, modifying and removing user accounts.
- Admin accounts must never be used for daily tasks such as browsing, email or general work.
- Cloud admin accounts must use MFA, and organisations must track all administrative accounts and review them regularly.
This is no longer soft guidance—it’s a clear expectation. Organisations without structured access control policies will need to introduce them.
6. Password Rules Updated for Real World Security
Instead of focusing on outdated complexity rules, the new standard aligns fully with modern NCSC (National Cyber Security Centre) guidance.
Updated Requirements
- Systems must either:
- Block common passwords,
- Use MFA, or
- Require passwords of 12+ characters
- No mandatory password resets.
- No complexity rules (symbols, uppercase etc.).
- Emphasis on:
- Three random words
- Password managers
- User education
- Brute force protection mechanisms
This approach is far more practical and more secure.
7. MFA Becomes a Near Universal Requirement
From April 2026:
- MFA must be enabled for every user and every administrator for every cloud service that supports it.
- If a service does not support MFA, it must be listed—and you will fail if that service actually does support MFA.
- No cloud service can be excluded from scope.
In short: MFA everywhere, no exceptions.
8. Clearer, Tougher Malware Protection Requirements
Cyber Essentials now provides stronger clarity around what must be in place.
You must use at least one of:
- Anti malware software
- Application allow listing (e.g., MDM managed apps only)
Expectations now include:
- Anti malware tools must block malicious websites.
- Mobile devices must prevent installation of unsigned apps.
- You must maintain an approved applications list.
Organisations using BYOD may need stronger mobile device controls.
Final Thoughts — You need to action now
I know these updates may feel like another round of compliance overhead. But they reflect what we see daily across the threat landscape: attackers exploiting weak cloud configurations, unsupported systems, poor password hygiene and overly permissive admin accounts.
These changes close those gaps—and in my view, they make organisations significantly more resilient.
If you haven’t started preparing, now is the moment.
We’re already helping clients to:
- Review cloud services and MFA adoption
- Assess firewall configurations
- Retire end of life systems
- Implement consistent patch management
- Audit and restructure admin rights
- Document the processes Cyber Essentials now demands
If you’d like support preparing following the April 2026 changes—or want a pre assessment gap review—we’re here to help make the process simple, achievable and stress free