Cyber Essentials 2026 Update: How UK Businesses Can Secure Cloud Services and Pass Certification

From 27th April 2026, Cyber Essentials introduces key updates that UK businesses cannot ignore. The most notable change is the inclusion of cloud services in scope, marking a significant shift in how organisations must demonstrate cybersecurity compliance.

While the five core controls remain, the new rules emphasise clearer expectations, stronger evidence, and practical measures to protect organisational data across both on-premise and cloud environments.

Key Changes to Cyber Essentials

1. Multi-Factor Authentication is now compulsory

Any cloud service that offers MFA must have it enabled for every user. Even if MFA is a paid feature, leaving it disabled will result in a failed assessment.

2. Cloud services are fully in scope

Services accessed with a work login that store or process company data, such as Microsoft 365, Google Workspace, and finance or CRM systems, are now included. Organisations can no longer exclude cloud platforms from their assessment.

3. Clearer scoping rules

All internet-capable devices and systems must be considered in scope unless there is a strong technical reason to exclude them. Exclusions must be documented and justified.

4. Greater emphasis on passwordless authentication

Passkeys and security keys are encouraged as more secure alternatives to traditional passwords.

5. Stronger guidance on backups

While still outside the five core controls, sensible backup practices are now more explicitly recommended, including off-device storage and disconnecting removable media when not in use.

Practical Steps for Businesses

1. Review cloud services – List all services accessed with work credentials, ensure MFA is enabled, and check default settings for admin roles and data access.
2. Check device connections – Confirm all devices comply with the five core controls and that any internet-capable system is included in scope.
3. Strengthen authentication – Introduce passwordless options and limit administrative privileges.
4. Improve backup practices – Keep backups separate from primary systems and test recovery regularly.
5. Document your setup – Maintain records of configurations, patching, and user access, and explain any justified exclusions.

For UK businesses, these updates are not just about compliance; they are about practical protection against increasingly sophisticated cyber threats. Cloud systems, now firmly in scope, must be treated with the same diligence as on-premise infrastructure.

At BackupVault, we help businesses stay secure, resilient, and ready for certification. Our cloud backup solutions and expert guidance ensure your data is protected, and your Cyber Essentials preparation is straightforward.

Get ahead of the April 2026 changes and safeguard your organisation with BackupVault.