Cyber Essentials Requirements Update

The requirement for MFA is already a part of Cyber Essentials, however this latest update introduces a shift in expectations in that, if a cloud service offers MFA, it must be enabled or an automatic failure will be given.  Under the current guidelines, if MFA is not implemented a major noncompliance will be awarded, but the assessment can still be passed.

From April, if you do not implement MFA on cloud services that offer it, whether native to the cloud service, free, connected through another service, or as a fee-paying option, you will be unable to pass the Cyber Essentials assessment.

IASME has provided an updated definition of cloud services, with the aim of enhancing clarity and removing the ambiguity that most applicants currently struggle with when assessing what counts as a cloud service and whether the cloud services they use are scope.  It also reinforces the requirement that cloud services cannot be excluded from scope.  The new definition is as follows:

‘Cloud service – A cloud service is an on-demand, scalable service, hosted on shared infrastructure, and accessible via the internet. For the purposes of Cyber Essentials a cloud service will be accessed via an account (which may be credentials issued by your organisation, or an email address used for business purposes), and will store or process data for your organisation.

If your organisation’s data or services are hosted on cloud services, these services must be in scope. Cloud services cannot be excluded from scope.’

For applicants that use any form of cloud service, it will be important to ensure that all services are listed in your response to question A2.9.

The new ‘Requirements for IT Infrastructure’ document updates another area that has previously been considered ambiguous and constantly challenged, i.e., the scoping requirements.  Currently, the document is worded in such a way that there is a grey area around untrusted internet-connected hosts and user-initiated outbound connections to devices via the internet.  The updates look to provide clarity on which devices are in scope by removing complex wording and simplifying these statements.

Any organisations that have previously removed devices from scope because they were classed as not establishing user-initiated outbound connections, or because the device they accepted internet connections from was 'trusted', will no longer be able to descope these.  The incoming guidelines confirm that the requirements apply to all devices that meet the following criteria:

• Can accept incoming network connections from internet-connected devices
• Can establish outbound connections to devices via the internet
• Control the flow of data between any of the above devices and the internet.

The guidance for web applications has been updated and now refers to the UK Government’s Software Security Code of Practice rather than OWASP, and has also been renamed to ‘Application Development’ rather than web applications.  The Software Security Code of Practice consists of 14 principles, and software vendors are expected to implement these to establish a consistent baseline of software security and resilience across the market.

It should be noted that this is only guidance, and the requirements for what is in scope of Cyber Essentials has not changed.  Apps developed in-house and bespoke or custom components of web applications that are not publicly available commercial web applications are still out of scope.

This section has been updated to increase emphasis on passwordless authentication and MFA with the promotion of passkeys, which the National Cyber Security Centre (NCSC) would like to become the default authentication recommendation.  The changes also include a paragraph detailing common examples of passwordless authentication.

Passwordless authentication has been on the horizon for a while, with Bill Gates predicting the phase-out of passwords as far back as 2004 and declaring that they are a weakness and could not be relied upon.  For many applicants, the switch to passwordless will be ongoing.  UAC is a complex topic and, with users often having an increasingly large number of devices and accounts, the management of passwords is becoming a significant burden.

Nothing has changed in the wording of this section, but it has been repositioned within the guidance document to emphasise the importance of having backups in place, as this enables organisations to recover quickly in the event of a cyber incident.  Whilst backing up organisational data is still not a mandatory requirement of Cyber Essentials, recent high-profile cyber attacks have demonstrated just how devastating the lack of backups can be.

The latest update to the Cyber Essentials requirements reflects IASME’s ongoing commitment to ensuring the scheme remains relevant and effective in the face of evolving cyber threats.  With the new requirements coming into effect in April 2026, now is the time to identify gaps and plan any necessary adjustments.  Staying ahead of these updates not only allows you to maintain compliance, but also strengthen your organisation’s overall security posture.

Read the full ‘Requirements for IT Infrastructure’ document.