Although IASME has described the 2026 update as "minor," it introduces important clarifications regarding multi-factor authentication (MFA), cloud services and scoping definitions. For many organisations, this will mean reviewing internal policies, raising awareness of user access controls and ensuring that MFA is properly enforced across every account.
As a government-backed scheme designed to protect against the most common cyber attacks, Cyber Essentials remains one of the simplest yet most effective frameworks for building cyber resilience.
The 2026 update makes one thing clear: security fundamentals continue to evolve and now is the time for every organisation to stay ahead.
MFA becomes an automatic pass or fail
Multi-factor authentication (MFA has long been a requirement, but from April 2026 any cloud service that supports it must have it switched on, or the organisation will fail certification. No exceptions.
In response to the growing risk of credential-based attacks, IASME emphasises MFA as a vital layer of protection.
Simple steps such as switching to passwordless and MFA-secured logins across Microsoft 365 and Azure can significantly improve security.
Clearer cloud service definitions
For the first time, IASME is introducing a specific definition of what qualifies as a cloud service.
Under the upcoming 2026 update, any online, scalable infrastructure used to host company data will be considered in scope, including Microsoft 365, AWS, Azure and other SaaS platforms.
This clears up any confusion and confirms that cloud services will now be fully included in the assessment.
Improved scoping and transparency
Organisations will have to explain any part of their infrastructure that is excluded from the assessment scope and justify how it is segregated from other networks.
This added clarity promotes transparency and ensures that each assessment accurately reflects an organisation’s real-world risk.
Passwordless authentication and passkeys take centre stage
The 2026 update identifies passwordless authentication, such as FIDO2 and passkeys, as the next step in identity security.
The National Cyber Security Centre (NCSC) encourages organisations to adopt these methods as their default to achieve stronger security and a smoother user experience.
For MSPs such as Grant McGregor, this shift aligns with the wider industry movement towards phishing-resistant, user-friendly authentication.
Backups and application development
The revised structure brings backup guidance to the forefront of the document, emphasising its importance in incident recovery.
The former web applications section will become application development, which aligns with the UK Government’s Software Security Code of Practice and promotes secure development standards.
What businesses should do now
To stay prepared ahead of the April 2026 deadline:
- Review MFA coverage across all services
- Audit cloud platforms and ensure none are excluded from the scope.
- Begin testing or implementing passwordless authentication.
- Refresh your backup strategy to meet best-practice standards.
If in doubt, speak to your MSP or a certified Cyber Advisor, such as Grant McGregor.
Although Cyber Essentials remains a foundation of strong cyber hygiene, staying compliant means keeping pace with each evolution of the scheme.
How Grant McGregor can help
As a Certified Cyber Advisor, Grant McGregor helps organisations of all sizes improve security through expert guidance, clear documentation and practical steps such as MFA and password management.
We simplify Cyber Essentials for our clients by guiding them through the process and helping them achieve stronger security with greater awareness. If your organisation is preparing for the April 2026 update, we can provide tailored advice, assess your readiness and guide you through each stage of certification and renewal.
Call us: 0808 164 4142
Message us: https://www.grantmcgregor.co.uk/contact-us
