Cyber Essentials 2026: What's Changed and Why Irish SMEs Should Now Certify

The Cyber Essentials scheme updated in 2026 with stronger MFA requirements, cloud controls, and home working guidance. Here's what's changed and why Irish SMEs in UK supply chains should certify.

Cyber Essentials 2026: What's Changed and Why Irish SMEs Should Now Certify

Cyber Essentials is a UK government-backed certification scheme that has quietly become a meaningful requirement for businesses selling into the UK market. If your Irish SME supplies products or services to UK public sector organisations, or if you want a credible, low-cost baseline security certification, the 2026 changes to the scheme deserve your attention.

What Cyber Essentials Is

Cyber Essentials is a technical security certification focused on five core controls:

  1. Firewalls — boundary protection and internet-facing device configuration
  2. Secure configuration — removing unnecessary software and default settings
  3. User access control — least privilege, account management, and administrative access restrictions
  4. Malware protection — anti-malware controls and application allowlisting
  5. Patch management — keeping software and operating systems up to date

The scheme comes in two tiers:

  • Cyber Essentials (CE): A self-assessment questionnaire verified by an accredited certification body. You answer questions about your technical controls, a certifier reviews your answers, and if they pass, you receive the certificate.
  • Cyber Essentials Plus (CE+): The same five controls but with external technical verification — a certifier conducts vulnerability scans and tests your systems to confirm the controls actually operate as you described.

CE costs approximately £400–£600 for most small organisations through an IASME-accredited certifier. CE+ typically runs £1,500–£3,000 depending on scope and the size of your infrastructure.

Why It Matters to Irish SMEs

The UK government has required Cyber Essentials certification for all suppliers handling personal data or delivering technical services under government contracts since 2014. That mandate has held and expanded. Many UK local authorities, NHS trusts, and government agencies now extend the requirement through their own supply chains.

For Irish SMEs with UK public sector clients — or those tendering into that market — the question is not whether to engage with Cyber Essentials but whether your current certificate (if you have one) remains valid under the updated scheme.

Even for Irish businesses with no UK public sector exposure, Cyber Essentials has value as a baseline hygiene certification. It covers the controls that protect against the majority of opportunistic cyberattacks: commodity malware, phishing-enabled account compromise, and exploitation of unpatched systems. Achieving CE demonstrates that you have addressed the basics, which increasingly carries weight in procurement conversations regardless of geography.

What Changed in 2026

The NCSC and IASME updated the Cyber Essentials technical requirements in early 2026. The changes reflect how working environments have shifted — more cloud, more remote work, more personal devices — and where the scheme had fallen behind modern attack patterns.

Password and authentication requirements

The password requirements have been tightened. The scheme now mandates minimum password lengths of 12 characters (up from 8) for accounts without MFA. More significantly, the scope of mandatory MFA has expanded. MFA is now required for all administrator accounts and for all user accounts accessing cloud services. If your organisation uses Microsoft 365, Google Workspace, or any SaaS platform and your users are not protected by MFA, you will fail the assessment.

Cloud service controls

Cloud environments receive substantially more attention in the 2026 updates. The previous scheme treated cloud services inconsistently. The 2026 requirements explicitly bring cloud-hosted services into scope and define expectations for cloud asset configuration, administrative account controls, and data segregation. If you run workloads on AWS, Azure, or GCP, those environments are now firmly in scope.

Home working and personal devices

Where a permanent home working setup is used for business, the router at that location falls into scope. The updated requirements also tighten the rules around personal devices (BYOD) — if personal devices access business data or systems, they must meet the scheme's technical controls.

Asset management

The 2026 update adds clearer requirements around knowing what devices are in scope. You cannot demonstrate that devices are patched and configured correctly if you do not have an accurate record of what devices exist.

Self-Assessment vs. Verified (CE+)

For CE, you complete the questionnaire yourself and a certifier reviews it. The process relies on accurate self-reporting. Some organisations find the questionnaire straightforward; others discover during preparation that their actual technical controls are less mature than they assumed. The questionnaire is a useful forcing function regardless of whether you proceed to certification.

CE+ adds value when your clients require verified certification rather than self-declared, or when you want external confirmation that your controls actually work as implemented. The technical assessment involves external vulnerability scanning and internal checks.

How NIS2 Compliance Helps

If you are working through NIS2 compliance, the overlap with Cyber Essentials is significant. NIS2 requires risk management measures covering access control, incident handling, supply chain security, and vulnerability management. Implementing those NIS2 controls will bring your technical environment into substantially better shape for a Cyber Essentials assessment. The MFA requirement, patch management expectations, and access control principles are consistent across both frameworks.

Cyber Essentials certification does not satisfy NIS2, but it demonstrates implementation of foundational controls that NIS2 expects to see. Evidence of CE or CE+ is useful context when regulators ask about your baseline security posture.

What to Do Now

If you hold an existing Cyber Essentials certificate, check its expiry date and review whether your current controls still meet the 2026 requirements — particularly around MFA scope and cloud services. Many organisations that were compliant under the previous requirements will need to address gaps before renewal.

If you are pursuing Cyber Essentials for the first time:

  1. Clarify your scope — which systems, devices, and cloud services are used for business activities
  2. Audit your MFA rollout — confirm it covers all cloud service access and all administrator accounts
  3. Review your password policy and enforcement — 12-character minimums need to be technically enforced, not just documented
  4. Confirm your patching position — all in-scope systems need to be within 14 days of critical patch release

The controls are not complex. The challenge for most SMEs is the gap between what the policy says and what is actually configured in the environment. Address that gap before you attempt the assessment.


James McGee is a CISA, CISSP, and CISM-certified security professional and founder of Pragmatic Security, an Irish vCISO advisory firm helping SMEs navigate cybersecurity and regulatory compliance.