Does Cyber Essentials Require Multi-Factor Authentication?
March 30, 2026 •
If you’re an IT admin preparing for Cyber Essentials certification or recertification, one question is now more urgent than ever: does Cyber Essentials require multi-factor authentication? The short answer is yes, and from April 2026, failing to implement MFA where it is available will result in an automatic failure of your assessment. This is one of the most significant changes in the scheme’s history, and understanding exactly what’s required, and where, is essential for every organization seeking certification. This post breaks down the April 2026 updates, what they mean for MFA specifically, and how to ensure your organization is fully compliant before the deadline.
What Is Cyber Essentials and Why Did It Get Updated?
Cyber Essentials is a UK government-backed cybersecurity certification scheme, developed and overseen by the National Cyber Security Centre (NCSC) and administered by IASME. It is designed to help organizations defend against the most common cyber threats by implementing five core security controls:
- Firewalls
- Secure configuration
- User access control
- Malware protection
- Security update management (patching)
The scheme has two levels: Cyber Essentials (a self-assessed questionnaire) and Cyber Essentials Plus (an independently verified technical audit). Both are widely recognized by UK government departments and supply chain frameworks, and certification is mandatory for certain government contracts. [Source: UK Government Cyber Essentials guidance]
The scheme is reviewed annually. Each year, IASME collaborates closely with the NCSC to analyze feedback from across the scheme, findings from breach investigations, and insights gained from IASME’s own audit processes. This evidence base informs updates to the requirements document, question set, assessment methodology, and marking criteria.
The five core controls of Cyber Essentials have not changed, but the standards required to satisfy them are tightening, particularly around authentication.
The April 2026 Cyber Essentials Updates: What’s Changing?
In November 2025, the NCSC published updates to the Requirements for IT Infrastructure document, the authoritative standard against which Cyber Essentials certification is assessed. These included the introduction of an auto-fail policy for organizations that do not implement MFA where it is available. Since then, IASME’s ongoing audit processes identified additional areas requiring attention, prompting the NCSC to make further operational updates to the scheme.
All changes take effect on April 26, 2026. Organizations with an active assessment account created before that date will have six months to achieve certification under the previous version of the requirements. Any assessment account created after April 26, 2026 will be subject to the updated scheme immediately.
Stricter Marking Criteria and Auto-Fail Policies
One of the most significant structural changes in the April 2026 update is the introduction of stricter marking criteria for questions addressing critical security practices. Certain questions now carry an auto-fail designation, meaning that a single unsatisfactory answer to these questions results in an automatic failure of the entire assessment, regardless of how well an organization scores elsewhere.
The two primary triggers for auto-fail are:
- Failure to implement multi-factor authentication for cloud services where it is available
- Failure to implement timely security updates across the entire scope of the assessment
An auto-fail on any critical question means the organization fails Cyber Essentials outright, with no ability to offset that failure against strong performance in other areas.
This approach brings Cyber Essentials into direct alignment with the NCSC’s own recommended best practice, which has long advocated MFA as a foundational defense against credential-based attacks.
Newly Announced Changes (Highlighted in the April 2026 Update)
While the November 2025 publication previewed the MFA and patching auto-fail rules, the April 2026 update includes additional adjustments to the operation of the scheme. These cover the assessment framework, the certification process, and the Cyber Essentials Plus assessment methodology. IT admins should review the full updated documentation carefully, as changes to the Plus methodology in particular affect how technical verification audits are conducted.
Does Cyber Essentials Require Multi-Factor Authentication (MFA)?
Yes. From April 2026, multi-factor authentication (MFA) is a mandatory requirement for all cloud services within scope of the Cyber Essentials assessment where MFA is available.
This is a firm and unambiguous requirement. It does not matter whether MFA is provided as a free feature, included as part of a license, or only available as a paid upgrade. If MFA can be enabled on a cloud service, it must be enabled. Organizations that fail to meet this requirement will automatically fail their Cyber Essentials assessment.
What Counts as a “Cloud Service” Under Cyber Essentials?
Under the Cyber Essentials framework, cloud services include any third-party hosted services that your organization uses within its assessed scope. Common examples include:
- Microsoft 365 and Azure Active Directory
- Google Workspace
- Cloud-based file storage (e.g. SharePoint Online, Google Drive, Dropbox for Business)
- SaaS applications used by staff (e.g. Salesforce, HubSpot, Xero)
- Remote access portals and VPN management consoles
- Cloud-based email platforms
If a cloud service is used within the scope of your certification and MFA is available, whether or not you are currently using it, you are required to enable it. The “where it is available” clause does not create an opt-out based on cost. Even if enabling MFA requires purchasing an upgraded plan, that cost does not exempt an organization from the requirement.
What MFA Methods Are Acceptable for Cyber Essentials?
Cyber Essentials does not mandate a specific MFA method, but it does require that the second factor provides genuine additional security beyond a password. Acceptable methods generally include:
- Authenticator app-based time-based one-time passwords (TOTP)
- Push notification-based authentication
- Hardware security keys (e.g. FIDO2/WebAuthn tokens)
- SMS one-time passcodes (though this method carries known weaknesses and is considered lower assurance)
SMS-based MFA, while widely used, is considered the weakest form of second factor due to SIM-swapping and SS7 interception vulnerabilities, organizations should prefer app-based or hardware-based methods wherever possible.
Why MFA Is Now a Cyber Essentials Auto-Fail: The Threat Landscape Context
The elevation of MFA to auto-fail status is not arbitrary. It reflects hard data on how the majority of breaches actually occur.
Over 80% of hacking-related breaches involve compromised or weak credentials, according to the Verizon Data Breach Investigations Report. [Source: Verizon DBIR 2023]
Cloud services are disproportionately targeted because they are accessible from anywhere on the internet, making them the primary attack surface for credential-based attacks. An organization that has not enabled MFA on its Microsoft 365 environment, for example, is exposed to a category of attack that is both extremely common and almost entirely preventable.
IASME’s audit findings, which feed directly into the annual review process, have consistently identified inadequate MFA implementation as a significant gap in organizations seeking certification. The auto-fail policy is a direct response to this pattern and it removes any ambiguity about whether MFA is optional and ensures that certified organizations have meaningfully addressed one of the most exploited attack vectors.
Alignment with NCSC Best Practice
The NCSC’s own guidance, including its 10 Steps to Cyber Security and the Cyber Essentials Requirements for IT Infrastructure document, has consistently emphasized MFA as a baseline control for protecting administrative and user accounts. The April 2026 changes bring the certification standard into full alignment with that guidance, closing the gap between “recommended practice” and “certified compliance.”
This is an important signal for IT admins: the NCSC is treating MFA not as a best practice add-on but as a fundamental hygiene requirement. Organizations that have deprioritized MFA deployment should treat this update as a hard deadline, not a suggestion.
How to Prepare: MFA Implementation Guidance for Cyber Essentials Compliance
If your organization is preparing for Cyber Essentials certification or recertification under the April 2026 requirements, here is a structured approach to ensuring MFA compliance.
Step 1: Audit Your Cloud Service Inventory
Begin by creating a complete inventory of all cloud services used within the scope of your Cyber Essentials assessment. This should include every service accessed by users and administrators, regardless of how frequently it is used. For each service, document:
- Whether MFA is available (free, included, or paid upgrade required)
- Whether MFA is currently enabled
- Which MFA methods the service supports
- Which user accounts are subject to the MFA requirement
Step 2: Enable MFA on All Applicable Services
For any service where MFA is available but not yet enabled, enabling it is now a prerequisite for certification, not a nice-to-have. Prioritize services with the highest user count and the most sensitive data, but ensure complete coverage across all in-scope services.
Pay particular attention to:
- Administrative accounts: These must be protected with MFA without exception.
- Remote access services: VPNs, RDP gateways, and remote management portals are high-risk and must have MFA enforced.
- Email platforms: Cloud email remains one of the primary vectors for business email compromise.
Step 3: Choose the Right MFA Solution
Not all MFA solutions integrate equally well across a diverse cloud service estate. When selecting an MFA provider, IT admins should evaluate:
- Breadth of integration (RADIUS, SAML, OIDC, native app connectors)
- Support for legacy systems and on-premises applications that may also fall within scope
- Ease of enrolment and management at scale
- Audit logging and reporting capabilities to demonstrate compliance
- Support for phishing-resistant methods such as push notifications or hardware tokens
Step 4: Document Everything for the Assessor
Cyber Essentials assessors and Cyber Essentials Plus auditors will need to verify that MFA is in place across all in-scope cloud services. Maintain clear documentation showing which services are in scope, which MFA method is applied to each, and evidence that MFA is enforced rather than merely offered as an option to users.
Offering MFA to users without enforcing it does not satisfy the Cyber Essentials MFA requirement. Enforcement must be mandatory, not voluntary.
Step 5: Test Before Your Assessment
Run an internal review against the updated question set before submitting your assessment. Identify any cloud services where MFA is theoretically available but not yet enforced, and resolve those gaps before your assessment window opens. Given that a single MFA failure now triggers an auto-fail, there is zero margin for overlooked services.
Cyber Essentials MFA Requirements: Key Dates and Transition Timeline
Understanding the transition timeline is important for planning your certification or recertification schedule.
- November 2025: NCSC published the updated Requirements for IT Infrastructure document, including the introduction of the MFA auto-fail policy.
- April 26, 2026: All changes take effect. New assessment accounts created from this date are subject to the updated requirements immediately.
- October 2026 (approx.): Six-month grace period ends for organizations with assessment accounts created before April 26, 2026. All active assessments must comply with updated requirements by this point.
If your organisation is due for recertification between now and October 2026, plan your MFA rollout to be complete well in advance of your assessment date. Attempting to enable MFA across your cloud estate in the days before an assessment creates unnecessary risk.
Frequently Asked Questions
Does Cyber Essentials require multi-factor authentication?
Yes. From April 26, 2026, MFA is a mandatory requirement for all cloud services within the scope of a Cyber Essentials assessment where MFA is available. Failure to implement MFA on any applicable cloud service will result in an automatic failure of the assessment, regardless of performance on other controls.
Do I need MFA for Cyber Essentials if my cloud service charges extra for it?
Yes. The requirement applies whether MFA is free, included in your existing licence, or only available as a paid upgrade. Cost does not exempt an organisation from the requirement. If MFA is available on a cloud service used within your assessment scope, it must be enabled.
What happens if I don’t implement MFA for Cyber Essentials?
Failure to implement MFA where it is available triggers an auto-fail on your Cyber Essentials assessment. This means the entire certification attempt fails, not just the MFA-related questions. You will need to remediate the gaps and resubmit your assessment.
Does the MFA requirement apply to all user accounts or just administrators?
The requirement applies to all accounts accessing cloud services within the scope of the assessment, not just administrators. However, administrative accounts carry higher risk and should be prioritized in any MFA rollout. All accounts, including both user and admin, must be covered for Cyber Essentials compliance.
When do the April 2026 Cyber Essentials changes take effect?
The changes apply to all assessment accounts created on or after April 26, 2026. Organizations with an active assessment account created before that date have a six-month transition period to achieve certification under the updated requirements.
Is SMS-based MFA acceptable for Cyber Essentials compliance?
SMS one-time passcodes are generally accepted as a form of MFA under Cyber Essentials, as they do provide a second factor beyond a password. However, SMS carries known security weaknesses, including SIM-swapping attacks, and organizations should prefer stronger methods such as authenticator apps or hardware tokens wherever the service supports them.
Conclusion: Act Now to Ensure Cyber Essentials Compliance
The April 2026 updates to the Cyber Essentials scheme represent the most significant tightening of the certification standard in recent years. The introduction of an auto-fail policy for MFA non-compliance removes any remaining ambiguity: MFA for Cyber Essentials is no longer optional, it is a binary pass/fail requirement. For IT admins, the message is clear: audit your cloud service estate now, enable MFA on every applicable service, enforce it for all users, and document your implementation thoroughly.
If you’re working through exactly how to implement and enforce MFA across your organization’s cloud and on-premises environment in a way that satisfies the updated Cyber Essentials requirements, contact us for a free, no-commitment consultation on how to meet the new Cyber Essentials Plus requirements.
LoginTC is a purpose-built MFA solution designed to integrate seamlessly across cloud services, VPNs, remote desktop environments, and legacy systems, making it straightforward to achieve the enforcement and coverage required for Cyber Essentials certification. Explore how LoginTC can help your organization meet the April 2026 requirements and protect your users against the credential attacks that Cyber Essentials is designed to defend against.