Cyber Essentials remains one of the UK’s most important baseline security frameworks — but as we enter 2026, both the threat landscape and the certification requirements are shifting rapidly. The scheme is evolving, attacks are becoming more sophisticated, and businesses are facing increasing pressure from suppliers, insurers, and regulators to demonstrate strong cyber hygiene.
Here’s the latest on where Cyber Essentials stands today — and why now is a critical time for organisations to take action.
Cyber Essentials Adoption: The Latest 2026 Landscape
The most recent government dataset (covering October 2024 to September 2025) shows that 53,699 Cyber Essentials certificates were issued in the last 12 months, with 40,626 Cyber Essentials and 13,073 Cyber Essentials Plus assessments completed.
Despite this momentum, overall adoption across the UK remains low. The NCSC reports that only around 35,000 organisations currently hold certification — a tiny fraction of the UK’s 5.5 million businesses.
Worse still:
- Only 3% of UK businesses are certified
- Only 12% are even aware of Cyber Essentials
This gap exists despite strong evidence that certification improves security outcomes. In fact, organisations with Cyber Essentials are 92% less likely to make a cyber insurance claim, demonstrating the value of the framework in reducing risk.
There are positive signs too:
In Q1 2025, Cyber Essentials hit a major milestone — more than 10,000 certificates were issued in a single quarter, the highest on record.
This highlights growing interest as cyber threats rise and supply chains become more demanding.
Why Cyber Essentials Still Matters in 2026
Even with awareness challenges, Cyber Essentials continues to be one of the UK’s most effective baseline security tools. The evidence shows:
- It protects against 80% of common cyber attacks
- It sets a minimum industry standard for suppliers
- It is increasingly required for tenders, grants, and public contracts
- It improves organisational awareness and accountability
- It reduces operational and insurance risk
But as cyber attacks grow more sophisticated — particularly phishing, credential theft, and cloud-based breaches — Cyber Essentials is becoming even more critical.
And that leads us to one of the biggest developments yet.
April 2026: Cyber Essentials v3.3 Brings Major Changes
From 27 April 2026, Cyber Essentials will introduce its most significant update in years through the new v3.3 (Danzell) assessment.
This update introduces stricter requirements, especially around identity, cloud security, and patching. These changes apply to all assessments created on or after this date.
The Biggest Changes Coming
- MFA becomes an automatic pass/fail requirement
If a cloud service offers MFA — even as a paid add-on — and you haven’t enabled it,
your assessment fails immediately.
This applies to:
- Microsoft 365
- Google Workspace
- Xero, Sage, QuickBooks
- CRM systems
- HR & payroll platforms
- Any SaaS platform storing company data
This is a major shift from previous versions where MFA was “strongly recommended.” In 2026, it becomes mandatory.
- All cloud services will be fully in scope
For the first time, Cyber Essentials provides a formal definition of a cloud service — and removes ambiguity entirely.
If company data touches a cloud service, it must be included in scope.
This includes:
- SaaS (Microsoft 365, Google Workspace, HubSpot, Salesforce, Xero)
- Cloud storage
- Identity platforms
- Any online tool accessed with company credentials
Under v3.3, organisations cannot exclude cloud services — a significant change for many SMEs.
- Devices connected to the internet are now always in scope
The update removes terms like “untrusted” or “user-initiated.”
If a device connects to the internet in any way, it’s in scope.
This includes:
- Laptops and desktops
- Remote worker devices
- Mobiles and tablets
- IoT systems
- Operational or factory devices with internet connections
This will expand scope for many businesses, particularly multi-site organisations and manufacturers.
- Clearer expectations for application development
The “Web Applications” section becomes “Application Development”, aligning with the UK Government’s Software Security Code of Practice.
Organisations must show evidence of:
- Secure development
- Patch management
- Dependency management
- Updated coding practices
- New emphasis on passwordless authentication
v3.3 encourages passwordless methods such as:
- Passkeys
- FIDO2 security keys
- Biometrics
- Hardware tokens
This aligns with broader industry moves away from password-only access.
- Stricter evidence and scoping requirements
Businesses must now justify any exclusions and provide more detailed descriptions of network segmentation and scope boundaries.
This reduces the ability to “scope around” difficult areas — a common issue historically.
Why Businesses Are Certifying Now (Before April 2026)
With stricter rules coming, many organisations are choosing to certify before April 2026 so they can:
- Complete certification under the existing, less demanding standard
- Avoid mandatory MFA failures
- Avoid broader cloud scoping
- Delay stricter patching expectations
- Maintain CE compliance for another 12 months before v3.3 applies
As SysGroup notes, completing certification before April allows organisations to certify under the current rules, avoiding the more complex v3.3 requirements.
For many SMEs, this is a strategic decision.
Final Thoughts: Why Cyber Essentials Still Matters in 2026
Cyber Essentials is changing — but its purpose remains the same:
To help organisations protect themselves from the most common and damaging cyber attacks.
With phishing, credential theft, and cloud compromise all rising, the core of Cyber Essentials has never been more relevant. And with v3.3 raising the bar from April 2026, now is the perfect time for organisations to assess their readiness.
Whether you’re certifying for the first time or renewing, IT365 can help you prepare for both the current standard and the upcoming changes — ensuring you stay compliant, resilient, and ready for what’s next.
