UK tightens Cyber Essentials: 14-day patching and MFA for cloud
From April 27, Cyber Essentials requires high-risk and critical patches within 14 days and mandates multi-factor authentication on all cloud services.
The UK government updated Cyber Essentials on April 27 to shorten the patching window for high-risk and critical security updates to 14 days and to require multi-factor authentication for all cloud services.
The revision follows a government survey that found 43% of businesses reported a breach or attack in the past 12 months while just 12% said they were aware of Cyber Essentials. Officials launched a February campaign urging companies to “lock the door” on cybercriminals and pushed the annual April update to tighten standards.
The 2026 update targets common entry points for attackers, including credential theft, cloud account compromise and delayed patching. Aaron Bishop, CEO of Novous, described the change as focusing on “the actual core attacks” and closing gaps where previous rules left room for interpretation.
Jon Bance, chief operating officer at Leading Resolutions, warned that many existing patching processes that were previously tolerated will no longer meet the standard. Smaller IT teams will need clearer processes to track, prioritise and evidence patching across endpoints, servers and cloud services.
The new rules require that if a cloud service offers two-factor authentication, multi-factor authentication or single sign-on, it must be enabled. The guidance specifies that SMS-based authentication qualifies as an accepted method. Daryl Flack, partner at Avella Security, recommended firms enable mandatory MFA across every cloud service and review scoping declarations with board-level approval.
Guidance on remediation notes that a verified fix does not have to be a vendor patch. Temporary mitigations such as configuration changes, registry updates, disabling vulnerable services or deploying scripts can count as valid fixes while patches undergo internal testing, according to Ian Glennon, senior security solutions architect at Qualys.
Existing Cyber Essentials accounts have been given a six-month grace period to meet the new requirements. Advisers urge organizations to begin audits and process changes immediately to comply with the shorter patching window and the MFA mandate.
Officials have highlighted potential business benefits of certification. In January, UK Digital Minister Liz Lloyd noted Cyber Essentials certified organisations are 92% less likely to make a claim on their cyber insurance than those without certification. Harry Mason, head of client services at Mason Infotech, said certification can make firms eligible for free cyber insurance. Aaron Bishop added that many larger companies and public sector bodies require Cyber Essentials from suppliers, making certification a common contractual condition.
Security advisers recommend firms start by auditing their Cyber Essentials scope, including legal entities, in-scope devices and any exclusions, and ensure point-in-time assessments align with certification dates. Jon Bance advised against treating Cyber Essentials as an annual checkbox and urged linking the standard to broader cyber or risk management practices.
The update is now in force and organisations that need to meet the changes must revise patching and access controls, document mitigation actions and confirm MFA coverage across cloud services within the grace period.
