Cyber Essentials is changing. Here is what your business needs to know.

If your business holds a Cyber Essentials certification, or you are planning to get certified, there are important changes coming into effect from April 27 2026 that you need to be aware of.

The updates are significant. This is not a minor refresh. The bar is being raised across several key areas, and organisations that are not prepared risk failing their assessment, or finding their certification lapse.

Here is a clear breakdown of what is changing, and what to do about it.

What is changing from April 27 2026

MFA is now mandatory

Multi-factor authentication is now required for all services where it is available. That includes cloud services and administrative accounts. If MFA is not enabled where it can be, your assessment will automatically fail. There is no grey area here.

A tighter window for patching

High-risk and critical vulnerabilities must now be patched within 14 days. This applies to operating systems, applications and firmware. If your current patch management process is not built around this timeframe, it needs to be. Automated patching routines or a strictly enforced manual process are both acceptable, but ad hoc approaches will not hold up under scrutiny.

Cloud services are formally in scope

There is now a formal definition of what counts as a cloud service. Any service that stores or processes company data is in scope, including SaaS tools your teams use day to day. If you have not mapped your full SaaS footprint, now is the time.

Stricter auto-fail criteria

New, rigid auto-fail criteria have been introduced to bring the standard in line with current best practice. The Verified Self-Assessment gives less room for error than it used to. Getting the details right first time matters more than ever.

A push towards passwordless

The updated guidance encourages a move towards FIDO2-compliant passkeys and hardware tokens. This is not yet a hard requirement, but the direction of travel is clear.

Board-level sign-off is required

A director or board member must now sign off on the assessment. That brings clear accountability at leadership level and means Cyber Essentials can no longer be treated as purely an IT matter.

CE+ alignment

For organisations pursuing Cyber Essentials Plus, you must now be fully compliant with the standard before beginning the technical audit. The VSA and the audit must align perfectly. Starting the CE+ process with outstanding gaps is no longer an option.

How to prepare

Audit your cloud services

Identify every SaaS platform your business uses and confirm that MFA is enabled across all of them. The scope is broader than many organisations assume.

Tighten your patch management

Review how quickly vulnerabilities are currently being addressed. If you cannot demonstrate 14-day patching for high-risk and critical issues, that process needs to change before your next assessment.

Plan your renewal carefully

If your certification is due for renewal around this time, speak to your certification body about whether to renew early under the current rules. Timing matters.

Get leadership involved

Given the board sign-off requirement, now is a good moment to brief your senior leadership team on what Cyber Essentials covers and why it matters.

How Flotek can help

Flotek works with Citation Cyber to help businesses get cyber security right in practice, not just on paper. Whether you are pursuing Cyber Essentials for the first time or preparing for renewal under the new rules, we can help you understand where the gaps are and what needs to change.

If you are unsure where your business stands ahead of these changes, book a call with the Flotek team and we will talk it through.

Further reading

No items found.

Download Your Free CopilotAdoption Guide

Learn how to introduce, deploy and embed Ai across your business with confidence. This free guide covers everything from getting started with Copilot to building smarter workflows, improving adoption and moving towards real automation.