Cyber Essentials Changes in April 2026 What You Need to Know

Cyber Essentials will undergo major updates in April 2026, and organisations need to understand how the new requirements will affect their certification process. Any assessment created on or after 27 April 2026 will be evaluated against version 3.3, known as Danzell. This new version introduces stricter rules for cloud services, authentication, scoping and software development practices.

This blog provides a clear summary of what is changing and what organisations should focus on before the new standard arrives.

Key Changes in Cyber Essentials for 2026

Cloud Services Fully in Scope

The 2026 update introduces a formal definition of cloud services. All cloud services that process or host business data will now be in scope. This includes SaaS applications, cloud-hosted environments and identity platforms connected to your organisation.

Multi Factor Authentication Requirements

If a cloud service offers MFA, it must be turned on for all users. If MFA is available but not enabled, the organisation will automatically fail the assessment.

Updated Scoping Rules

The standard no longer uses legacy terms such as untrusted or user initiated. A device, application or service is in scope if it accepts inbound internet connections, initiates outbound internet connections or routes or manages data to and from the internet. Any exclusions must be justified and supported by evidence of effective segregation.

Application Development Section Updates

The section previously named Web Applications is now Application Development. It now includes references to the UK Government Software Security Code of Practice. Commercial applications are included in scope. Custom components without public exposure are not in scope.

Passwordless Authentication Guidance

The new version encourages the adoption of passwordless methods including passkeys, biometrics, FIDO2 devices and hardware tokens.

Backup Guidance Highlighted

Backup guidance is positioned earlier in the document to emphasise its importance. Organisations should ensure backups are documented, secure and regularly tested.

What These Changes Mean for Organisations

The 2026 update places a stronger focus on cloud security, identity management, secure development practices and recovery planning. Organisations should expect more detailed assessments and the need for tighter controls.

You may need to review your cloud inventory, confirm MFA is enforced for every service, review your network architecture and ensure development teams follow secure coding standards. Backup and recovery processes should also be updated and fully documented.

Why Certify Before April 2026

Registering for Cyber Essentials before 27 April 2026 provides several advantages. You can complete one more cycle under the current requirements, reduce remediation work and avoid the high demand period as the deadline approaches.

How SysGroup Can Help

SysGroup can support organisations through the transition by offering pre April assessments, gap analysis, MFA and cloud security support, policy updates and evidence preparation.

If you want to reduce disruption and prepare confidently for the new controls, now is the right time to take action.