Cyber Essentials just got harder to pass — here's what changed
The April 2026 update adds auto-fail rules, including a hard 14-day deadline to patch critical security holes. Good preparation matters more than ever.
Cyber Essentials, the government-backed certification that closes off the most common routes attackers use, was updated in April 2026. The headline for businesses: it's now stricter, with new rules that fail your assessment outright if you don't meet them. If you hold the certificate, or your clients and insurers ask you to, the bar you have to clear has moved up.
The big change: 14 days to patch critical holes
The most significant new rule is a hard deadline on security updates. High-risk or critical updates and vulnerability fixes, across operating systems, firewalls and router firmware, and applications, must now be installed within 14 days of release. Miss that window and it's an automatic fail, regardless of how strong the rest of your setup is. The reasoning is simple: most breaches exploit known holes that hadn't been patched yet.
Tighter checks on multi-factor authentication
The update also changed how multi-factor authentication is assessed. MFA, the second step beyond a password, is the single most effective defence against account takeover, and the scheme now looks harder at whether it's actually in place where it should be. If you've turned it on patchily, this is the year that shows.
A new question set, same five controls
Behind the scenes, a new question set replaced the previous one, with updated definitions for cloud services, scoping, backups and user access. The five core controls at the heart of Cyber Essentials haven't changed (firewalls, secure configuration, access control, malware protection and keeping software up to date) but the way you have to prove you're doing them has tightened.
Why this is a good thing, even though it's harder
A stricter certificate is a more meaningful one. The 14-day patching rule in particular reflects how real attacks actually work, so meeting it cuts your risk rather than just earning a badge. The businesses that treat Cyber Essentials as real security, not a tick-box, were mostly doing these things already. For everyone else, the update is a useful push to close the gaps that matter most.
What this means for your business
If you certify this year, build in the new rules from the start: a reliable way to patch critical updates inside 14 days, and MFA switched on properly across email and key systems. We get businesses through Cyber Essentials by fixing the gaps first, so the certificate reflects real security that holds up, not a one-off effort that lapses the week after.
#WEARECOBALT
Ready when you are.
Tell us what's slowing your business down. We'll tell you exactly how we'd fix it — plainly, with no obligation.