Back
    Back
      Contact Us 0330 058 8000
      Portal [email protected]
      updates to cyber essentials

      IASME Announces Updates To Cyber Essentials

      With cyber threats evolving rapidly, the UK’s government-backed Cyber Essentials scheme is being updated to help businesses stay protected.

      The IASME Consortium Ltd, in partnership with the National Cyber Security Centre (NCSC), has announced the next major revision to the Cyber Essentials standard – version 3.3 of the “Requirements for IT Infrastructure” – which will take effect in April 2026.

      For SMEs that use certification to demonstrate strong cyber hygiene to customers, suppliers, and insurers, understanding these updates early will be essential.

      Below is a summary of what’s changing, why these updates to Cyber Essentials matter, and what your business can do now to prepare.

      Key changes at a glance

      Launch timing and scope
      The new version will apply to all Cyber Essentials assessments started after 27 April 2026. Businesses with assessment accounts created before that date will continue under the existing version. Once you start an assessment, you’ll have six months to complete it under that version’s rules.

      Enhanced marking criteria – MFA now mandatory
      Multi-factor authentication (MFA) will move from being a recommendation to a strict requirement. If a cloud service offers MFA – even if it’s an optional or paid feature – it must be switched on. Businesses that don’t have MFA enabled where available will automatically fail certification. This confirms that MFA is now seen as a minimum protection standard for any organisation using online or cloud-based services.

      Definitions and scoping clarifications
      The new update provides a clearer definition of what counts as a cloud service – essentially any system accessed online that stores or processes your company’s data, such as Microsoft 365, Google Workspace, or cloud storage. None of these services can be excluded from your certification.

      IASME is also simplifying the scoping rules: any device that connects to the internet will be in scope. This includes laptops, desktops, tablets, and smartphones. The previous complex language around ‘untrusted’ or ‘user-initiated’ connections has been removed to make this easier to understand.

      Updates to specific sections

      • The former “Web Applications” section is now called “Application Development”, aligning with the UK Government’s Software Security Code of Practice. Public-facing web or mobile apps are always in scope, while purely internal custom-built tools are not.

      • Backup guidance has been moved earlier in the standard to stress its importance for recovery and business continuity.

      • The User Access Control section now promotes modern sign-in methods such as passkeys, biometrics, security tokens, and MFA. Businesses are encouraged to adopt passwordless technology where practical.

      Why Knowing Updates To Cyber Essentials Matters

      These may appear to be small changes, but together they mark a clear move towards stronger cyber resilience and more accountability across UK businesses.

      Cloud services and connected devices are now central
      If your company uses any form of cloud-based service, it must be part of your Cyber Essentials scope. This ensures that no system where company or customer data is stored is overlooked. For SMEs using multiple cloud tools, it’s vital to review which services are in use and confirm they meet the new requirements.

      MFA is non-negotiable
      The new rule around MFA means businesses need to act now. Every account that supports MFA should have it enabled – particularly across systems like email, file storage, and finance platforms. Many smaller firms will find this step alone significantly strengthens their defences against phishing and account compromise.

      Managing supplier and partner risk
      For SMEs in supply chains, Cyber Essentials certification is often a prerequisite for contracts or tenders. As clients and partners begin demanding compliance with the 2026 version, achieving certification early could give your business a competitive edge.

      Audit and documentation readiness
      With clearer definitions and stricter scope, the new version will expect better record-keeping. Businesses should have clear documentation of their systems, devices, and any justified exclusions to ensure a smooth assessment process.

      Reputation and marketing advantage
      Updating to the latest version demonstrates that your business takes cyber security seriously. Certification can help build trust with customers and partners and strengthen your position when competing for new contracts – particularly in regulated or data-sensitive sectors.

      Recommended Actions

      For organisations whose Cyber Essentials renewal falls after the April deadline, there are a few steps to take in advance of re-certification:

      1. List all cloud services and devices
        Identify every cloud platform and internet-connected device used by your business. Document these clearly, including which services store or process company data.

      2. Enable MFA everywhere possible
        Review all accounts and services that support MFA and turn it on. Consider moving towards passwordless sign-in where supported, using options like biometrics or security keys.

      3. Update your backup procedures
        Test and review your backup processes to ensure they’re reliable and well-documented. Backups are a critical safeguard against ransomware or accidental data loss.

      4. Inform your team and partners
        Make sure everyone in your organisation knows about the changes coming in 2026. If you work with IT partners or managed service providers, ensure they are also preparing for compliance.

      5. Plan your certification timeline
        If you expect to renew or apply for certification after April 2026, start aligning your systems and policies now. If you plan to certify before that date, confirm you’ll complete under the current version.

      Updates To Cyber Essentials: The Road Ahead

      The upcoming Cyber Essentials update reflects the growing importance of proactive cyber security. Rather than a complete overhaul, it strengthens core controls such as MFA, data backups, and access management.

      For SME leaders, this isn’t just about compliance – it’s about protecting business continuity, customer confidence, and long-term resilience.

      Getting ahead of the April 2026 update will show that your business doesn’t just meet the minimum standard but leads by example in protecting data and digital assets.

      Akita has in-house Cyber Essentials assessors who can offer guidance to organisations going for renewal. For more information, please get in touch:

      Contact Us
      Back to feed

      Related Posts:

      SME cyber security

      Rising Risks For SME Cyber Security: Key Takeaways From The 2025 NCSC Annual Review

      Cyber threats against UK organisations are increasing in both volume and sophistication. Attackers are faster, more opportunistic, and increasingly leveraging…

      Read more
      Cyber Resilience Plan

      Why Your Cyber Resilience Plan Must Live on Paper – Not Just In Theory

      In an era when cyber threats multiply daily, IT leaders are frequently told: “invest in the latest tools, automate defensively,…

      Read more
      business continuity in sussex

      Developing Business Continuity: How Sussex Firms Can Prepare for the Unexpected

      In an era defined by uncertainty, the ability to withstand disruption is no longer a “nice-to-have” for businesses. From cyber…

      Read more