Since the updated Cyber Essentials requirements came into effect on 27 April 2026, organisations are facing greater expectations around cloud security, identity protection, and ongoing cyber governance.
For businesses using platforms such as Microsoft 365, the changes are especially important. Security controls that may previously have been considered “best practice” are increasingly becoming mandatory requirements.
The updated standards place far greater emphasis on cloud security, multi-factor authentication, vulnerability management, and the ongoing governance of business systems and users.
For many organisations, this is no longer simply about passing a certification assessment. It is about ensuring that day-to-day security practices are aligned with how modern businesses operate.
According to guidance published by IASME, the changes reflect the growing importance of cloud security, identity protection, and continuous compliance as businesses increasingly operate in hybrid and cloud-first environments.
What Has Changed in Cyber Essentials?
The updated Cyber Essentials requirements introduced on 27 April 2026 include several significant changes that businesses should now be reviewing closely.
Multi-Factor Authentication Is Now Mandatory
One of the biggest changes is the requirement for MFA wherever it is available.
This means organisations relying solely on usernames and passwords for access to cloud services may no longer meet certification requirements.
This requirement now applies across all cloud services where MFA is available, including services such as:
- Microsoft 365
- Remote desktop and VPN access
- Cloud applications
- Email platforms
- Business systems and portals
For businesses using Microsoft 365, this includes services such as:
- Exchange Online
- Teams
- SharePoint
- OneDrive
The reason for this change is clear. Identity-based attacks continue to be one of the most common methods used by cybercriminals. Password theft, phishing, and compromised accounts remain major causes of data breaches and ransomware incidents.
MFA significantly reduces this risk by requiring an additional verification step beyond just a password.
Identity protection is now considered a core requirement rather than an optional security enhancement.
MFA significantly reduces this risk by requiring an additional verification step beyond just a password. As organisations continue to rely more heavily on cloud platforms such as Microsoft 365, identity protection is increasingly being viewed as a core security requirement rather than an optional enhancement, a point also highlighted in recent industry commentary from Infinigate UK & Ireland
Cloud Services Are Fully in Scope
Historically, some organisations treated cloud applications as separate from their core IT infrastructure when approaching Cyber Essentials assessments.
That has now changed.
The updated requirements place far greater focus on securing cloud environments properly, particularly where sensitive business data is being stored, accessed, or shared.
For businesses operating heavily within Microsoft 365, this means security configuration is increasingly important.
Areas likely to come under greater scrutiny include:
- User access controls
- Administrative permissions
- Sharing settings
- Device management
- Conditional access policies
- Data governance
- Security monitoring
Simply having Microsoft 365 in place is no longer sufficient. Businesses are increasingly expected to demonstrate that the platform is being managed to be constantly secure.
The updated framework also places greater emphasis on clearly defining assessment scope, particularly within hybrid and cloud-based environments. This reduces ambiguity around which systems, users, and services fall within certification boundaries.
Stricter Vulnerability and Patch Management Expectations
The revised standards also strengthen expectations around software updates and vulnerability management.
Unsupported or outdated systems present a growing compliance and security risk.
This is particularly relevant for organisations still relying on Windows 10 following the end of support in October 2025.
Cyber Essentials certification assessments are now based on systems being supported at the point the certificate is issued. Organisations continuing to rely on unsupported operating systems or applications may therefore face additional compliance challenges moving forward.
The expectation is increasingly shifting away from annual compliance exercises and toward continuous security maintenance.
Cyber Essentials Is Becoming an Ongoing Security Commitment
One of the most significant changes within the updated framework is the growing emphasis on maintaining compliance throughout the certification period, rather than viewing Cyber Essentials as a once-a-year renewal.
Organisations are now expected to acknowledge responsibility for maintaining compliance continuously after certification has been achieved, reinforcing the shift toward ongoing security governance and operational accountability.
Businesses are increasingly expected to demonstrate:
- Ongoing patch management
- Continuous monitoring
- Effective identity governance
- Secure user access controls
- Active management of cloud platforms
For many organisations, this represents a move away from “tick-box compliance” and toward a more operational and governance-led approach to cybersecurity.
Why These Changes Matter for Businesses
The impact of Cyber Essentials increasingly extends beyond the certification itself.
Many organisations now encounter Cyber Essentials requirements through:
- Cyber insurance applications
- Supply chain requirements
- Public sector contracts
- Client procurement processes
- Data security reviews
Simultaneously, cyber threats continue to evolve.
Modern attacks are increasingly focused on exploiting users, identities, and cloud services rather than traditional on-premise infrastructure alone.
As businesses continue with hybrid working, cloud collaboration tools, and AI-powered services, the security perimeter has fundamentally changed.
This is one of the key reasons why Microsoft 365 security configuration, identity protection, and access governance are becoming far more important under Cyber Essentials.
Common Security Gaps Many Businesses Already Have
One of the challenges businesses will continue to face is that many security weaknesses are not always immediately visible during day-to-day operations.
Some of the most common gaps organisations currently face include:
- MFA enabled only for administrators rather than all users
- Excessive global administrator privileges
- Shared user accounts
- Weak password policies
- Unmanaged personal devices accessing company systems
- Outdated laptops and desktops
- Inconsistent patch management
- Overly permissive SharePoint or OneDrive sharing settings
- Lack of visibility over external file sharing
- Inadequate monitoring of suspicious login activity
In many cases, organisations believe they are operating securely because they have invested in cloud platforms such as Microsoft 365. However, the effectiveness of these platforms depends heavily on how they are configured, governed, and maintained.
What Businesses Should Be Doing Now
Although the updated requirements are now in effect, many organisations are still in the early stages of reviewing their readiness.
Practical steps businesses should be taking now include:
Review MFA Coverage
Ensure MFA is enabled consistently across:
- Microsoft 365
- Email accounts
- Remote access systems
- Cloud applications
- Administrator accounts
Audit Microsoft 365 Security Settings
Review:
- User permissions
- Admin roles
- External sharing policies
- Conditional access rules
- Device compliance settings
Identify Unsupported Devices and Software
Create visibility over:
- Devices still running unsupported operating systems
- Legacy software
- Unpatched systems
- Unmanaged endpoints
Strengthen Identity and Access Management
Review who has access to what, particularly:
- Privileged accounts
- Shared mailboxes
- Third-party integrations
- Access of former employees
- External collaborators
Improve Ongoing Security Governance
Cybersecurity is increasingly becoming an ongoing operational process rather than a once-a-year tick box exercise. Businesses should focus on maintaining strong security governance through regular security reviews, user awareness training, monitoring and reporting, clearly defined policies, and well-maintained documentation. Cyber Essentials is now placing greater emphasis on consistent and sustainable security practices across the organisation.
Final Thoughts
The updated Cyber Essentials framework reflects a wider shift in how organisations are expected to manage cybersecurity.
The focus is moving beyond basic perimeter protection and toward identity security, cloud governance, and continuous risk management.
For businesses using Microsoft 365, this makes security configuration and governance more important than ever.
While many organisations are still adapting to the updated requirements, early action is likely to make compliance significantly easier and reduce wider security risks at the same time.
At HAYNE.cloud, we work with organisations to help simplify Microsoft 365 security, improve governance, and support businesses in building secure and manageable cloud environments for the future. As a Cyber Essentials certified business ourselves, we understand the importance of maintaining practical, scalable security standards that support both compliance and day-to-day operations.
If your organisation has questions around the updated Cyber Essentials requirements, Microsoft 365 security, or what the changes could mean in practice, our team would be happy to have a conversation and help you better understand the next steps for your environment.
