Everything you need to know about Cyber Essentials changes in 2026

The Cyber Essentials accreditation scheme continues to evolve to reflect the way organisations work today, and the 2026 updates bring some of the most significant changes in recent years.

 

The overall aim of these updates is consistency. Assessments are now tighter, expectations are clearer, and there is far less room for interpretation.

 

At Qlic IT, we’re already supporting charities through these changes, helping ensure they remain compliant while strengthening their overall cyber security.

 

Below, we explore what’s changing in more detail.

 

How Qlic IT can help 

 

What’s changed in Cyber Essentials?

 

A tougher, clearer standard

 

Cyber Essentials is moving away from a tick-box exercise and towards a more realistic view of how organisations operate day-to-day.

 

Organisations must now show that:

• Security controls are consistently applied
• Processes are embedded into daily operations
• Systems are genuinely secure, not just at the point of assessment

This shift means less reliance on last-minute fixes and more focus on long-term security practices.

 

 

MFA is now non-negotiable

 

Multi-Factor Authentication (MFA) is one of the biggest changes. Multi-Factor Authentication is the secondary step to logging into your accounts making it that more secure from cyber criminals.

If a system supports MFA, it must be enabled. There is no longer any flexibility:

• Partial rollouts are not accepted
• Protecting only admin accounts is no longer enough

This applies across:

• Email platforms (Microsoft 365, Google Workspace)
• CRM systems
• Finance and HR tools
• Remote access and admin portals

For most charities, this doesn’t require new tools, but it does require consistency. MFA must be switched on everywhere it’s available.

 

 

Cloud services are fully in scope

 

Another key change is the clear inclusion of cloud services. Any platform that stores or processes your data is now in scope, including:

• Microsoft 365 and Google Workspace
• Finance systems
• HR platforms
• Case management tools
• Identity providers

This means charities need a clear understanding of:

• What systems they use
• Who has access
• What security controls are in place

 

Patching expectations are tighter

 

Patching and vulnerability management haven’t changed in principle, but they are now assessed more strictly. High-risk vulnerabilities are expected to be addressed quickly, typically within 14 days.

 

Assessors will now look for evidence that:

• Updates are part of routine operations
• Systems are regularly maintained
• All devices are included (including firewalls and network equipment)

The key message: patching should be proactive and ongoing, not reactive.

 

 

From “secure on the day” to “secure all the time”

 

Perhaps the biggest shift is how Cyber Essentials is viewed overall. It’s no longer about passing an assessment at a single point in time. Instead, it’s about whether your organisation is consistently secure.

 

This means:

• No more narrow scoping to avoid risk
• No temporary fixes
• No policies that exist only on paper

For organisations already following best practices, this is a positive change. For others, it may highlight gaps, but ultimately leads to more resilient systems.

 

 

Cyber Essentials Plus has tightened too

 

Cyber Essentials Plus has also become more rigorous. They have changed their steps to becoming Cyber Essentials Plus certified. The testing is now more thorough, more consistent, and more likely to identify gaps.

 

While this raises the bar, it also strengthens the value of certification, making it a more credible standard for funders, partners, and stakeholders.

 

 

How these changes impact charities

 

For most charities, these updates won’t require a complete overhaul, but they will require greater consistency and visibility.

 

You may need to:

• Ensure MFA is enabled across all systems and users
• Review all cloud services and bring them into scope
• Improve patching processes and timelines
• Tighten access controls and permissions
• Gain better visibility of your IT environment

The focus is less on new technology and more on doing the basics properly, all the time.

 

 

Practical steps to prepare for changes to Cyber Essentials

 

To get ready for the updated Cyber Essentials requirements, charities should:

• Review MFA across all systems: Make sure it’s enabled everywhere it’s available
• Map your cloud services: Identify every system your organisation uses and confirm how it’s secured
• Strengthen patching processes: Ensure updates are applied regularly and within expected timeframes
• Check user access and permissions: Remove unnecessary admin rights and inactive accounts
• Embed security into daily operations: Move away from one-off fixes and towards consistent, repeatable processes

 

 

Why Cyber Essentials still matters

 

Despite the changes, Cyber Essentials remains one of the most important frameworks for charities.

It helps your organisation protect sensitive data and systems, build trust with stakeholders and funders, reduce the risk of common cyber-attacks, and demonstrate a recognised level of security.

 

With these updates, it’s now an even stronger and more meaningful certification.

 

 

How Qlic IT can help

 

As an IASME-approved Certification Body and accredited Cyber Essentials assessor, Qlic IT can guide you through the updated requirements with confidence.

 

Qlic supports charities with:

• Preparing for certification or renewal
• Identifying and fixing gaps
• Implementing best practices
• Making the process straightforward and manageable

Whether you’re starting your Cyber Essentials journey or adapting to the new standards, Qlic IT are here to help.

 

Find out more