← All Insights
April 2026

Why Cyber Essentials Plus Matters More Than Ever in 2026

Christopher Tait CEO, Layer 7
cyber-essentials-plus

Security has a credibility problem: it is easy to say you are secure, and much harder to prove it. Cyber Essentials Plus exists to close that gap. With the scheme due an update on 27 April 2026, now is a good moment for UK organisations to understand what it is and why it matters.

The threat is not slowing down

The government’s most recent Cyber Security Breaches Survey makes the case plainly:

  • 43% of UK businesses reported a breach or attack in the last 12 months, roughly 612,000 businesses.
  • For medium (67%) and large (74%) businesses, a breach is now the norm rather than the exception.
  • Phishing is the biggest problem by far. Of the businesses that were breached, 85% were hit by phishing, making it both the most common and the most disruptive type of attack.
  • The average cost of the most disruptive breach was £3,550 once incidents with no recorded cost are set aside, before you count reputational or contractual damage.

Against that backdrop, the five technical controls behind Cyber Essentials (firewalls, secure configuration, security update management, user access control, and malware protection) are not box-ticking. The NCSC designed them to stop the common, opportunistic attacks that make up the bulk of breaches.

Cyber Essentials vs Cyber Essentials Plus: the difference is proof

Standard Cyber Essentials is a verified self-assessment. You answer the questions, an assessor reviews them, and you certify. It is a strong, affordable foundation, but it relies on your word that the controls are in place.

Cyber Essentials Plus adds independent, hands-on testing. A qualified assessor audits your systems directly, checking that patches are applied, that malware protection works, and that access controls hold up. Same five controls, a much higher standard of assurance.

That is why CE+ has become a common requirement for:

  • Government and public sector contracts involving personal or financial data
  • MOD and defence supply chains
  • NHS and healthcare suppliers
  • A growing number of enterprise procurement frameworks, where buyers want evidence rather than assurances

Increasingly, organisations without CE+ are filtered out before anyone reads their proposal.

The business case beyond compliance

Certification pays back in ways that go beyond winning tenders:

  • Demonstrable trust. CE+ gives customers, partners, insurers, and regulators independent proof that you take security seriously.
  • Free cyber insurance. UK-based organisations with annual turnover under £20m that certify their whole organisation are automatically entitled to cyber liability insurance arranged through IASME, including 24/7 incident response support. You need to opt in, and the standard cover starts at a £25,000 limit.
  • A genuine reduction in risk. To mark the scheme’s tenth anniversary in 2024, the NCSC reported that organisations with Cyber Essentials are 92% less likely to make a cyber insurance claim. That figure comes from the insurer that provides the cover, so treat it as indicative, but the direction is clear: doing the basics well reduces your exposure.

What is changing in April 2026

From 27 April 2026, new assessment accounts will be tested against version 3.3 of the NCSC requirements, using the new “Danzell” question set (published 13 February 2026). IASME describes most of the update as clarifications rather than a major overhaul, but one change has real teeth:

  • MFA becomes mandatory for cloud services, with no exceptions. If multi-factor authentication is available for a cloud service, it must be on, even where it is only offered on a paid tier. Not having it is now an automatic fail. IASME has acknowledged this could have a substantial impact on compliance for many organisations.
  • Cloud services cannot be left out of scope. The update adds a formal definition of a cloud service and makes clear that anything storing or processing your data is in scope.
  • Passwordless authentication is encouraged. Passkeys are now recommended as a more secure alternative to traditional passwords.
  • Tighter CE+ rules. You can no longer adjust your verified self-assessment based on the results of the technical audit. It needs to be accurate before the audit begins.

Other long-standing requirements, such as installing critical and high-risk updates within 14 days, are not changing. They remain a pass-or-fail part of the scheme, as they have been for years.

What this means for you

If you are certifying or recertifying in 2026, a few practical steps will save you trouble:

  1. Check your MFA coverage now, across every user and every cloud service. If a platform supports it, assume it will be expected.
  2. Map your full cloud footprint. Anything that stores or processes your data is in scope.
  3. Keep your patching tight. Critical and high-risk updates within 14 days, with evidence to show it.
  4. Get your self-assessment right first time, because there is no room to correct it after the CE+ audit.

Organisations with an account created before 27 April 2026 get a 6-month window to certify under the current requirements, but the new standard is where the market is heading regardless.

The bottom line

Cyber Essentials Plus has always been about one thing: turning a security claim into security evidence. The 2026 update sharpens that, particularly on multi-factor authentication. For UK organisations that handle sensitive data, bid for public sector work, or simply want to prove their defences hold up, CE+ is fast becoming the baseline rather than the advanced option.

Talk to our team about a Cyber Essentials Plus readiness check before the April 2026 changes land →

Sources

Start a conversation

Have a question about this topic?

Talk to us