Insights

Key Changes to Cyber Essentials: April 2026

07 Jan 2026  |  Mike Smith, Marketing Manager

Changes are coming to Cyber Essentials in April 2026

Cyber Essentials is a UK government-backed certification designed to help organisations protect themselves against common cyber threats. It sets out a baseline of security controls that every organisation should implement to safeguard data and systems.

However, from April 2026, Cyber Essentials will introduce version 3.3 – codenamed Danzell – which brings important changes to the standard.

If you currently hold Cyber Essentials certification or are currently working towards it, here’s a couple of the most important upcoming changes to be aware of:

Change 1: “Cloud Service” is now defined

The definition of a cloud service is now formally included in the standard:

“Cloud service – A cloud service is an on-demand, scalable service, hosted on shared infrastructure, and accessible via the internet. For the purposes of Cyber Essentials, a cloud service will be accessed via an account (which may be credentials issued by your organisation, or an email address used for business purposes) and will store or process data for your organisation.

If your organisation’s data or services are hosted on cloud services, these services must be in scope. Cloud services cannot be excluded from scope.”

This change significantly expands the scope of applications subject to Cyber Essentials requirements. Public applications are now included—even if you don’t have administrative control of user accounts. Simply having an account is enough to bring the application into scope.

Example: If your organisation uses a third-party website to host and receive job applications, that service is now in scope for Cyber Essentials.

Change 2: MFA is mandatory for cloud services

Multi-Factor Authentication (MFA) is now a mandatory requirement for cloud services where it is supported. This includes:

  • Applications that support MFA natively
  • Services integrated with Single Sign-On (SSO) that supports MFA
  • Paid-for MFA add-ons

If MFA is available, it must be implemented for all users and administrators. Failure to configure MFA will result in non-compliance.

Cloud services that do not support MFA will not cause an automatic failure, but assessors will validate this claim and record the application as non-compliant, recommending that you consider an alternative vendor.

Our recommendation: Ensure all cloud services support Single Sign-On to simplify MFA implementation, improve user experience, and reduce administrative overhead.

Preparing for Cyber Essentials v3.3

These changes mean organisations should review their cloud services and MFA configurations well ahead of April 2026.

You can read the full updated requirements in the official Cyber Essentials Requirements v3.3 documentation.

How Chorus can help with the Cyber Essentials changes in 2026

At Chorus, we help organisations prepare for Cyber Essentials certification through our Cyber Essentials consultancy services. Our experts guide you through the requirements, assess your current setup, and help you achieve compliance efficiently.

If you need help understanding the Cyber Essentials April 2026 changes, Chorus is ideally placed to support you in working towards Cyber Essentials readiness and certification.

Further reading

You can learn more with our resources here:

About Chorus and Cyber Essentials

Chorus is a Microsoft Solutions Partner providing IT services for organisations that use Microsoft technology, including managed IT services and cyber security services. We work with organisations to deliver secure, modern technology environments that enable productivity and resilience.

Discuss Cyber Essentials today