Cyber Essentials Changes in April 2026 What You Need to Know
Cyber Essentials 2026 changes
Cyber Essentials is set for significant changes in April 2026, making it crucial for organisations to prepare for the updated certification requirements. As an IT MSP based in Guildford, Surrey, CloudHalo helps local businesses stay ready for the new Cyber Essentials standards. From 27 April 2026 onwards, all new assessments will be conducted under version 3.3, also referred to as Danzell. This latest update introduces tighter controls around cloud services, stronger authentication requirements, clearer scoping guidelines, and enhanced expectations for secure software development. Businesses aiming to achieve or renew Cyber Essentials certification will need to review their current security practices to ensure they meet these new, more rigorous standards.
This guide outlines the key Cyber Essentials 2026 changes and highlights what organisations should prioritise to stay compliant ahead of the new standard.
Key Changes in Cyber Essentials for 2026
Cloud Services Fully in Scope
Under the Cyber Essentials 2026 changes, cloud services are now clearly defined, with all systems that handle business data falling within scope, including SaaS platforms, cloud infrastructure, and identity services linked to your organisation.
Multi Factor Authentication Requirements
Updated Scoping Rules
Cyber Essentials 2026 eliminates legacy terminology like “untrusted” and “user-initiated,” replacing it with clearer scoping criteria. Systems are now in scope if they send, receive, or manage internet traffic, and any exclusions must be backed by documented proof of proper segregation controls.
Application Development Section Updates
The Web Applications section is now called Application Development and follows the UK Government Software Security Code of Practice. Commercial applications are now included, while custom components with no public access are not in scope.
Passwordless Authentication Guidance
The new version encourages businesses to adopt passwordless authentication, including passkeys, biometrics, FIDO2 devices and hardware tokens, to strengthen access security.
Backup Guidance Highlighted
The updated standard highlights the importance of backups by moving this guidance earlier, with organisations needing to ensure backups are documented, secure and routinely tested.
What These Changes Mean for Organisations
Cyber Essentials 2026 strengthens requirements around cloud security, identity management, secure development and disaster recovery, meaning businesses should be prepared for more in-depth assessments and stricter controls.
Businesses should review their cloud service inventory, enforce multi-factor authentication across all platforms, evaluate network design and ensure development teams adhere to secure coding standards. Backup and recovery processes should be up to date and properly documented.
Why Certify Before April 2026
By registering for Cyber Essentials before 27 April 2026, organisations can take advantage of the existing requirements, minimise remediation work, and avoid the high-demand period near the update deadline.
How CloudHalo IT Can Help
CloudHalo supports businesses through the upcoming Cyber Essentials changes by offering early assessments, gap analysis, MFA and cloud security guidance, policy reviews, and assistance with evidence documentation.
Acting now allows your organisation to prepare confidently and meet the updated Cyber Essentials requirements with minimal disruption.