Although IASME has described the 2026 update as "minor," it introduces important clarifications regarding multi-factor authentication (MFA), cloud services and scoping definitions. For many organisations, this will mean reviewing internal policies, raising awareness of user access controls and ensuring that MFA is properly enforced across every account.
As a government-backed scheme designed to protect against the most common cyber attacks, Cyber Essentials remains one of the simplest yet most effective frameworks for building cyber resilience.
The 2026 update makes one thing clear: security fundamentals continue to evolve and now is the time for every organisation to stay ahead.
Multi-factor authentication has long been a requirement, but from April 2026 any cloud service that supports it must have it switched on, or the organisation will fail certification. No exceptions.
In response to the growing risk of credential-based attacks, IASME emphasises MFA as a vital layer of protection.
Simple steps such as switching to passwordless and MFA-secured logins across Microsoft 365 and Azure can significantly improve security.
For the first time, IASME is introducing a specific definition of what qualifies as a cloud service.
Under the upcoming 2026 update, any online, scalable infrastructure used to host company data will be considered in scope, including Microsoft 365, AWS, Azure and other SaaS platforms.
This clears up any confusion and confirms that cloud services will now be fully included in the assessment.
Organisations will have to explain any part of their infrastructure that is excluded from the assessment scope and justify how it is segregated from other networks.
This added clarity promotes transparency and ensures that each assessment accurately reflects an organisation’s real-world risk.
The National Cyber Security Centre (NCSC) encourages organisations to adopt these methods as their default to achieve stronger security and a smoother user experience.
For MSPs such as Grant McGregor, this shift aligns with the wider industry movement towards phishing-resistant, user-friendly authentication.
The former web applications section will become application development, which aligns with the UK Government’s Software Security Code of Practice and promotes secure development standards.
To stay prepared ahead of the April 2026 deadline:
Although Cyber Essentials remains a foundation of strong cyber hygiene, staying compliant means keeping pace with each evolution of the scheme.
If you’re planning your next certification or renewal, the official Cyber Essentials Requirements for IT Infrastructure v3.3 is a good place to start. It walks you through what’s new and helps you prepare for the April 2026 changes.
As a Certified Cyber Advisor, Grant McGregor helps organisations of all sizes improve security through expert guidance, clear documentation and practical steps such as MFA and password management.
We simplify Cyber Essentials for our clients by guiding them through the process and helping them achieve stronger security with greater awareness. If your organisation is preparing for the April 2026 update, we can provide tailored advice, assess your readiness and guide you through each stage of certification and renewal.
Message us: https://www.grantmcgregor.co.uk/contact-us