Cyber Essentials 2026: New MFA Requirements Explained

Protecting Your Organisation Against Evolving Threats

Cyber Essentials remains central to protecting organisations against the most common cyber threats. As technology evolves and cloud services become integral to daily operations, the standard must adapt.

The upcoming update to the Cyber Essentials Requirements for IT Infrastructure (v3.3), going live in April 2026, reflects this shift. While the changes are largely clarificatory, they introduce firmer expectations around scope, cloud services, and authentication that organisations cannot afford to overlook.

The Risk of Underestimating the 2026 Changes

The real risk lies not in the changes themselves, but in underestimating their impact. Organisations that view Cyber Essentials strictly as a compliance exercise may find that previously accepted approaches, particularly around cloud usage, scoping, and access controls, no longer meet the required standard.

Without early preparation, this can lead to:

• Unexpected assessment failure.
• Disruption to existing certifications.
• Security gaps in your modern IT environment.

What’s New: Mandatory MFA and Cloud Scoping

Cyber Essentials compliance is no longer purely technical; it requires a clear understanding of how modern IT environments operate in practice.

1. Mandatory Multi-Factor Authentication (MFA)

The 2026 update strengthens expectations around authentication. Multi-factor authentication is now mandatory wherever it is available for cloud services. Where MFA is not implemented, certification will automatically fail. This marks a clear shift in enforcement supported by the National Cyber Security Centre (NCSC) and IASME.

2. Formal Inclusion of Cloud Services

The update formalises the inclusion of cloud services within scope and removes ambiguity around internet-facing systems. If your organisation relies on cloud-based operations, these assets are now firmly under the microscope.

The Solution: Cyber Essentials Readiness Review

Organisations that prepare proactively gain clarity and control. By reviewing scope, cloud configurations, and authentication controls in advance, you can reduce risk and approach certification with confidence.

Our Cyber Essentials Readiness Review provides the assurance needed to prepare for the April 2026 changes. We assess your organisation against the updated requirements, identify gaps, and deliver practical recommendations to ensure a successful certification.

Secure Your Certification

If your organisation relies on Cyber Essentials or plans to renew after April 2026, now is the time to prepare.

Contact our IT & Digital Transformation team today to arrange your Readiness Review.

Disclaimer:
This insight is for general information only and should not be relied upon as professional advice. For tailored guidance, please contact Ballards.