Blog/Security

Cyber Essentials Is Changing in April 2026. Here's What You Actually Need to Know.

8 min read

If your business holds Cyber Essentials certification — or you've been putting it off — April 2026 is the date to circle. The scheme is getting its most significant update in years, and some of the changes will catch people out.

We've gone through the new requirements (version 3.3, codenamed "Danzell") so you don't have to wade through the technical documents. Here's what's changing, what it means in practice, and what you should be doing about it right now.

First, a quick refresher

Cyber Essentials is a UK Government-backed certification scheme. It's run by IASME and overseen by the National Cyber Security Centre (NCSC). The idea is straightforward: prove that your business meets a baseline standard of cyber security, get a certificate that says so.

There are two levels. Cyber Essentials is a self-assessment questionnaire. Cyber Essentials Plus involves an independent technical audit. Both cover the same five controls: firewalls, secure configuration, access control, malware protection, and patch management.

Why bother? Three reasons. Government contracts increasingly require it. Large corporate clients are starting to demand it from their suppliers. And frankly, working through the assessment forces you to fix the basics — which is where most breaches happen anyway. According to the government's own data, 43% of UK businesses reported a cyber breach or attack in the past twelve months (DSIT Cyber Security Breaches Survey 2025). Most of those were preventable with basic controls.

What changes on 27 April 2026

The new version — v3.3 — officially takes effect on 27 April 2026. Any assessment opened after that date will use the new question set. If you've started an assessment before then, you'll still be assessed under the current v3.2 rules.

Here's what's different.

MFA is no longer optional for cloud services

This is the big one. Under the current rules, not having multi-factor authentication on your cloud services was flagged as a "major noncompliance" — bad, but it didn't automatically sink your assessment. That's over.

From April, if a cloud service you use offers MFA — whether it's built in, available as a paid add-on, or accessible through a third-party identity provider — you must have it switched on. If you don't, you fail. Full stop.

This matters more than it sounds. Think about how many cloud services your business touches: Microsoft 365, Google Workspace, Xero, Slack, Dropbox, Trello, HubSpot, your CRM, your project management tool. If any of them offer MFA and you haven't enabled it, that's a fail under v3.3.

The logic is hard to argue with. MFA stops the vast majority of account takeover attacks. The NCSC has been recommending it for years. Now they're making it mandatory.

What to do: Log into every cloud service your business uses. Check if MFA is available. Turn it on. This isn't a "when we get round to it" task — it's a "this week" task.

You can't exclude cloud services from scope anymore

Under v3.2, there was some ambiguity about what counted as a "cloud service" for the purposes of the assessment. Some organisations interpreted the rules loosely and excluded services they probably shouldn't have.

Version 3.3 closes that gap. If a cloud service stores or processes your organisation's data, it's in scope. No exceptions, no creative interpretations.

This is particularly relevant for businesses using a mix of tools — a common setup in coworking environments where teams adopt whatever works fastest. That Notion workspace, the shared Canva account, the free-tier analytics dashboard — if it holds your data, it's part of the assessment.

Every internet-connected device is in scope

The previous version used qualifiers like "untrusted" and "user-initiated" when defining which internet connections fell within scope. Those qualifiers are gone.

Now: if a device in your business is connected to the internet, it's in scope. That includes the obvious (laptops, phones) and the less obvious (the smart TV in the meeting room, the network printer, the IoT sensor in the office). Anything connected, anything in scope.

For most small businesses, this doesn't change much in practice — your laptops and phones were already covered. But if you've got devices you've never thought about from a security perspective, it's time to start.

Passkeys are officially recognised

On a more positive note, v3.3 formally accepts passkeys (FIDO2) as a valid form of multi-factor authentication. If you've already moved to passwordless login using passkeys — say, through Apple's ecosystem or a hardware security key — that now counts toward your MFA requirement.

The NCSC has gone further and indicated that passkeys are their preferred recommendation going forward. Passwords are increasingly seen as the weak link. Passkeys solve that by tying authentication to a physical device and biometric verification.

This is worth considering even if you're not pursuing certification. Passkeys are genuinely more secure and more convenient than passwords plus SMS codes. It's a rare case where the more secure option is also the easier one.

What this means depending on where you are

Already certified

Your current certificate remains valid until its expiry date. But your next assessment — whenever that falls after 27 April — will be against v3.3. Don't wait until renewal to act. Audit your MFA coverage now, document your cloud services, and check your device inventory. Finding out you've got a gap during the assessment is far more stressful than finding it three months early.

Thinking about getting certified

Now is actually a good time to start. If you begin the process before 27 April, your assessment may still fall under v3.2 — which is slightly less demanding. But even if you end up on v3.3, starting the process forces you to address the fundamentals. And those fundamentals — MFA, patching, firewalls, access control — are worth doing regardless of whether you frame a certificate at the end.

There's also a commercial argument. The Cyber Security and Resilience Bill, currently making its way through Parliament, is expected to tighten supply chain security requirements. Large organisations will increasingly need assurance from their suppliers. If you're a five-person agency doing work for a corporate client, the question "do you have Cyber Essentials?" is coming sooner than you think.

Working from a coworking space

This is where it gets complicated. You don't control the network. You don't manage the WiFi infrastructure. You can't configure the firewall or segment the VLANs.

But you do control your devices, your cloud services, and your access policies. Focus there. Ensure every laptop has its firewall enabled, its OS patched, and its disk encrypted. Enable MFA on everything. Use a VPN for sensitive work. And if your business handles regulated data — financial, medical, personal — consider whether shared infrastructure is appropriate for your compliance needs.

A practical checklist

If you want to be ready for v3.3, here's where to start:

This week:

  • List every cloud service your business uses (including free-tier tools and shared accounts)
  • Enable MFA on each one that offers it
  • Check that all devices (laptops, phones, tablets) are running the latest OS version

This month:

  • Review which devices connect to your network — include printers, smart displays, and anything IoT
  • Check your firewall settings on all devices
  • Review user access: who has admin rights, and do they still need them?
  • If you use passkeys anywhere, document it

Before April:

  • Decide whether you're pursuing certification (or renewal)
  • If yes, document your scope: what cloud services, what devices, what data
  • Run through the Cyber Essentials question set as a practice round — IASME publishes the requirements on their website
  • Identify any gaps and fix them before the real assessment

The honest take

Cyber Essentials isn't perfect. It's a baseline, not a comprehensive security programme. Passing it doesn't mean you're unhackable — it means you've covered the fundamentals that stop the most common attacks.

But that's exactly why the April changes matter. MFA being optional for cloud services was a genuine hole in the scheme. Cloud services being excludable from scope was another. Both of those holes are now closed.

If you're a small business in London — especially one operating from a coworking space where you're already sharing infrastructure with strangers — these fundamentals aren't theoretical. They're the difference between a normal Tuesday and a Tuesday where you can't access your files, your client data is compromised, and you're explaining to customers what happened.

The changes come into effect on 27 April 2026. That's two months from now. Enough time to prepare properly. Not enough time to procrastinate.

Sources

Need help with this?

We can help your business prepare.

Evolfe provides IT support and security services for London businesses. If anything in this article applies to you and you need a hand, get in touch.

Get in Touch

More from the blog

Security

Is Your Coworking Space's WiFi a Security Risk?

Shared WiFi with a single password means every device on the network can see every other device. Here's what that means for your business and what to do about it.

IT Management

Windows 10 Support Has Ended. What London Businesses Need to Do Now.

Microsoft stopped releasing security patches for Windows 10 in October 2025. Every vulnerability discovered since then is an open door that will never be locked. Here's what to do.

AI & Automation

5 AI Automations Any Small Business Can Set Up This Week

Only 16% of UK businesses use any AI. Not because it isn't useful — because nobody showed them where to begin. Here are five automations you can set up this week.