No MFA? No Certification. The Cyber Essentials Rule That Changes Everything
Right, let me give you my take on these April 2026 Cyber Essentials changes.
Pull up a chair.
The Good News
IASME and the NCSC have done something rare in government circles: they've made sensible updates. These changes fix real problems I've been moaning about for years.
The MFA mandate is brilliant. About bloody time. I've spent 40 years watching companies ignore basic authentication security, and this change removes the wiggle room. If your cloud service offers MFA (free or paid) and you're not using it, you fail. Full stop. No excuses. No "but we're too small." No "we'll get to it next quarter."
This is exactly the kind of hard line I advocated for when I was at Disney. You can't make security optional and expect people to choose it. They won't. Human nature doesn't work that way.
The cloud service definition is overdue. For three years I've watched companies play stupid games trying to exclude Office 365 or Google Workspace from their scope. "Oh, that's just email, not really a cloud service, is it?" Yes, it is. Always was. Now there's no debate. Your data lives in someone else's infrastructure? It's in scope. End of discussion.
The scoping language cleanup is smart. Removing "untrusted" and "user-initiated" as qualifiers means fewer arguments with assessors about whether your CEO's personal iPad counts. It connects to the internet? It processes company data? It's in scope. Simple.
The Excellent Bit
The passwordless authentication emphasis, particularly around passkeys, shows the NCSC is actually paying attention to where authentication technology is heading rather than fighting yesterday's battles.
I've been banging on about FIDO2 authenticators since my Intel days. Passkeys are the consumer-friendly version of what we were building in enterprise security five years ago. They're faster than passwords, more secure than SMS codes, and nearly impossible to phish. Getting them into the Cyber Essentials requirements puts them in front of 100,000+ UK businesses who need to hear about them.
The Reality Check
Here's where my enthusiasm takes a hit.
The MFA mandate will cause chaos. Not because it's wrong. Because thousands of UK small businesses have been skating by with terrible security, and this change will expose exactly how unprepared they are. I'll be dealing with the fallout in my MSP role.
Some quick maths for you: if even 30% of current Cyber Essentials holders don't have MFA properly configured (and I'd bet it's higher), that's 30,000+ businesses facing potential failure when they try to renew. Six months' notice isn't generous when you're a 12-person company with no IT staff and "Dave from accounts who's good with computers."
The cloud service definition, while correct, will hurt. Many small businesses have cobbled together cloud services without proper account management. Personal Gmail addresses accessing company Dropbox. Shadow IT everywhere. The new definition forces them to bring all of that into scope or properly segregate it. Both options cost money and time most SMBs don't have.
The scoping requirements, though clearer, are stricter. Explaining what you've excluded and how you've segregated networks? That assumes a level of network documentation most small businesses simply don't possess. I've seen 50-person companies running on a single flat network with zero segmentation. They'll need professional help to even map their infrastructure, let alone justify exclusions.
What This Means for Real Businesses
If you're certified now and haven't implemented MFA everywhere possible, you've got until April 27, 2026 to sort it. After that date, any new assessment or renewal without MFA is an automatic fail.
For most of you, this means:
Microsoft 365: Enable MFA immediately if you haven't already
Google Workspace: Same
Your accounting software: Check if it offers MFA and enable it
Your CRM: Check and enable
Your project management tools: Check and enable
Every. Single. Cloud. Service.
The "it costs extra" excuse won't work anymore. If MFA is available at any price point, you need it enabled or you fail. The scheme has decided (correctly) that the cost of enabling MFA is less than the cost of getting hacked.
The Practical Advice
Start now. Not in March 2026. Now. Here's your action plan:
First: Make a list of every cloud service your business uses. Include the ones your staff use that you don't officially know about. Ask your team. You'll be horrified at what you discover.
Second: For each service, check if MFA is available. Most modern cloud services offer it. Some charge extra. Budget for it.
Third: Enable MFA on everything. Start with your most critical services (email, accounting, banking) and work down the list.
Fourth: Document what you've done. Screenshot your MFA settings. Save the evidence. Your assessor will want to see it.
Fifth: Deal with the cloud services that can't be properly secured. Either migrate to better alternatives or accept that they'll cause problems with your certification.
The Bigger Picture
These changes show the government understands something crucial: Cyber Essentials can't remain static while threats accelerate. The scheme exists to protect businesses from common attacks. Those attacks are getting more sophisticated. The baseline needs to rise accordingly.
I've defended Cyber Essentials against critics who call it "tick-box security." It's not perfect, but it forces thousands of businesses to implement basic protections they'd otherwise ignore. These updates make it better. Harder, yes. But better.
The MFA mandate alone will prevent more breaches than any amount of security awareness training. Authentication is the front door to your business. We're finally requiring proper locks.
My Prediction
Come May 2026, the Cyber Essentials assessment pass rate will drop. Possibly significantly. Businesses that cruised through previous years will fail. There will be complaints. There will be businesses claiming the scheme is "too difficult now" or "unrealistic for small companies."
Ignore them. They're wrong.
What's unrealistic is expecting to protect your business with 2015 security practices against 2026 threats. What's too difficult is recovering from a ransomware attack because you wouldn't enable free MFA on your email.
The cost of prevention remains less than the cost of recovery. Always has been. Always will be.
What I'm Telling My Clients
Get ahead of this. Don't wait until your certification renewal is three weeks away and panic. The businesses that prepare now will sail through. The ones that wait will struggle.
If you need help auditing your cloud services, mapping your MFA status, or working out what these changes mean for your specific setup, now's the time to ask. Six months sounds like ages. It isn't. Particularly for businesses operating on shoestring IT budgets with minimal technical expertise.
These changes are good for UK business security. They'll be painful for unprepared businesses. Which category you end up in depends entirely on what you do in the next few months.
Start now.
| Source | Document/Article | Key Information |
|---|---|---|
| IASME | Upcoming Changes to the Cyber Essentials scheme: April 2026 Update | Official announcement of April 2026 changes including mandatory MFA requirement |
| NCSC | Cyber Essentials Requirements for IT Infrastructure v3.3 | Updated requirements document with new cloud service definitions and MFA requirements |
| NCSC | Cyber Essentials Resources | Official Cyber Essentials scheme documentation and resources |
| IASME Knowledge Hub | MFA or bust: Why skipping multi-factor authentication is a critical mistake | Detailed explanation of the MFA requirement changes and implementation guidance |
| UK Government | Software Security Code of Practice | Referenced in updated application development requirements |
Note: All information current as of November 2025. Changes effective April 27, 2026 for all new assessment accounts. Always refer to official NCSC and IASME documentation for the most current requirements.
