Cyber Essentials Is Changing in April 2026: What SMEs Need to Know

From 27 April 2026, Cyber Essentials (CE) and Cyber Essentials Plus (CE+) will undergo a significant shift in how assessments are enforced. While the five technical controls remain the same, IASME is tightening the interpretation and evidence requirements to make the scheme more robust, consistent and reflective of modern cyber risks. 

As an MSP who is also an IASME accredited Certifying Body (CB), Air IT Group welcomes these changes. They’re designed to strengthen cyber resilience across the UK and give organisations greater confidence that their security controls work – not just at audit time.  

In this article, we break down what’s changing, what it means for SMEs, and how you can stay ahead of your next assessment. 

Why Cyber Essentials is becoming more rigorous 

The threat landscape has evolved. Cloud usage has grown. Attackers move faster. And many organisations rely on Cyber Essentials as a foundation for insurance, supply chain assurance and government tenders. 

The 2026 changes strengthen the scheme by removing ambiguity and increasing consistency across assessments. This means: 

• clearer expectations, 

• better security outcomes, 

• and fewer “grey areas” where organisations could previously scrape by with minimal controls. 

For SMEs, it’s an opportunity to boost cyber maturity rather than fear failure. 

The key changes coming in April 2026 

1. Stricter, clearer enforcement 

Organisations that were previously “just compliant” may no longer meet the threshold if controls aren’t applied consistently across users, devices and cloud services. This isn’t punitive – it’s simply raising the baseline of what good looks like. 

2. MFA is now effectively mandatory 

If a system supports multi-factor authentication, IASME now expects it to be enabled, even if it requires an additional licence. Partial MFA (e.g. only applied to admins) is no longer sufficient. This aligns with broader industry best practice and dramatically reduces account compromise risk. 

3. Cloud services are fully in scope 

Any cloud platform your team uses for work now falls under assessment, including: 

• email services 

• file storage 

• finance, HR and CRM platforms 

• collaboration tools 

• industry specific SaaS 

If staff can sign into it, it’s in scope. This reflects the modern reality that the cloud holds your most valuable data. 

4. Patching expectations moves beyond simple answers 

Basic assessments can no longer rely on simple yes/no answers. Organisations must now: 

• describe patching processes, 

• show that updates are managed effectively, and 

• remove unsupported or end of life systems. 

For many SMEs, this will be the area needing the most uplift. 

5. Evidence over policy 

CE+ assessors will now test whether controls operate correctly day-to-day, not just in theory. This means real-world validation, stronger assurance and fewer gaps between policy and practice. In addition, there is a deliberate “hardening” of this area, with assessors seeking evidence of compliance that goes beyond simply reviewing a small sample size.  

The aim is to ensure that robust security measures are consistently in place across the organisation, rather than relying on isolated examples or best-case scenarios. 

What this means for SMEs 

For smaller organisations, these changes shouldn’t be viewed as obstacles. In fact, they provide: 

• clearer requirements 

• fewer loopholes 

• a more reliable security baseline 

• protection that reflects today’s threats 

• greater supply chain credibility 

The key is preparation – not panic. 

What you should do now 

1. Start your Cyber Essentials planning early 

Don’t wait until renewal. Many organisations will need time to enable MFA, update legacy systems or streamline patching. Starting with the right advice is also important. Without a gap analysis/advice from a knowledgeable expert, customer won’t be able to use the extra time to make the “right” preparations either. 

2. Address areas most likely to be impacted 

Prioritise reviewing: 

• systems without MFA 

• manual or inconsistent patching processes 

• older servers or operating systems 

• cloud apps that were previously assumed “out of scope” 

A proactive review now prevents surprises later.

3. Modernise patching and configuration management 

Automation, centralisation and monitoring are your friends. SMEs who rely on manual processes are most vulnerable to noncompliance, and cyber incidents. 

How Air IT Group supports your journey 

As an IASME-certified Cyber Essentials assessor and trusted MSP, Air IT Group is uniquely placed to guide organisations through these changes. 

We help SMEs by: 

• conducting readiness reviews 

• identifying gaps early 

• modernising patching and configuration 

• enabling MFA across your environment 

• providing remediation support 

• managing the entire certification process end-to-end 

Whether you renew annually or are working towards CE+ for the first time, our accredited team ensures you’re prepared.  

Stronger Cyber Essentials for a stronger business 

The April 2026 changes enhance Cyber Essentials, making it more consistent, more effective and more aligned with how businesses operate today. With the right preparation, and the right partner, these changes become an opportunity to strengthen your security posture, not a barrier. 

If you’d like a readiness check or tailored guidance ahead of the April update, our IASME-certified team is here to help.