Beat the Cyber Essentials deadline: 27 April

On April 27, the UK’s most comprehensive cyber security standard - Cyber Essentials, backed by the UK Government - imposes stricter requirements for businesses and their boards.

Cyber security certification is an absolute must in order for your business to be considered for ANY public tenders, and for MOST mature supply chains and enterprise-level contracts. Cyber Essentials (the “baseline” GovUK standard) is the one most SMEs would start with, before embarking on the “gold standard” ISO27001. A lack of certification means automatic exclusion from lucrative business opportunities, so if your SME holds or seeks a Cyber Essentials certification, it’s important to take action now.

Industry data suggests, and our experience at Backbone with hundreds of UK SMEs confirms, that more than 2 in 3 UK SMEs would fail their certification under these new rules. For instance, only 34% of UK businesses have a formal policy for patching vulnerabilities, which, from April, becomes an automatic fail condition.

But there is still time to prepare for the incoming changes: here is how to beat the deadline for your certification or re-certification.

First: what is changing

Directors bear accountability for cyber compliance

The April 2026 update (v3.3 "Danzell") to Cyber Essentials requires company directors, to be personally involved with, and accountable for, cyber security in their business.

Directors will now be accountable for compliance and will have to undertake a personal declaration, commiting to maintaining compliance for the upcoming 12 months.

Previously, directors signed off that the controls were in place on the day of the audit. Now, the director must formally declare that the organisation will maintain these controls for the full duration of the certificate. Organisations need to be audit ready beyond the 'Audit Day', and auditors will require evidence of ongoing readiness.

Subscription upgrades may be in order: MFA mandatory across all software, users and devices

Under previous rules, if one of your SaaS tools charged extra for Multi-Factor Authentication (MFA), you could claim it was commercially unviable, and achieve certification without it. From 27 April, if MFA is available, at any price tier, it is mandatory to have it enabled for all cloud-based tools (services like Xero, QuickBooks, HubSpot, Slack, Trello, and all others), all devices, and all users.

You may need to authorise immediate upgrades from "Standard" to "Premium" or "Enterprise" licences across your entire software stack just to remain compliant.

For our Secure Modern Workplace Clients, integrating these applications into your existing Microsoft MFA will provide the smoothest path to compliance and ensure you are ‘Always Audit Ready’.

Risk management: the end of audit day window-dressing

Any cyber security patches (software updates) will now have to be rolled out across all devices and users within 14 days. This new rule creates a 24/7 operational demand that many internal IT teams do not currently have the resources or the funds to meet.

Furthermore, if your organisation pursues Cyber Essentials Plus (CE Plus), which requires not just self-certification but independent, hands-on technical testing, the audit process is now designed to catch "window dressing", through extended sampling of your devices and users (double random sampling).

A failed audit doesn't just mean a re-test fee; it can lead to an immediate loss of your "Basic" certification, which equates to your business being effectively disqualified from public contracts (and increasingly, larger corporate contracts).

Action plan: Beat the April 27 deadline

For Finance Directors and business owners, the most immediate move is to certify or renew under the current, less restrictive "Willow" standard before the new rules take effect.

Certify NOW (or re-certify early): Any certification account created before April 27 will be assessed under the current version. This buys your organisation more time to plan for the costly licensing and operational changes required by the new requirements.

Prepare for the upgraded requirements

The Finance Director's "three-question" sanity check: ask your IT Lead these three questions:

1. Are we confident that every user, on every system and website, is properly secured, without exceptions?

This highlights whether controls like MFA are applied consistently across the business. If the answer is “mostly”, “we think so”, or “we’d need to check”, there is already a compliance risk.

• Can we prove that all of our devices are up to date, today, not just recently?

This tests whether patching is continuous and visible, rather than periodic or assumed. If the answer relies on historic reports, manual checks, or best guesses, the organisation is not audit ready.

• If we were audited tomorrow, would we pass without doing any preparation?

This is the simplest and most important question. If the answer is anything other than a clear “yes”, the business is still operating on an audit-day model, not continuous compliance.

If you’re looking to gain or renew your Cyber Essentials certification, we can help. Get in touch with us.

Cyber Essential essential facts:

Cyber Essentials is designed to protect organisations against the most common cyber threats: malware, phishing, and password attacks, by implementing five core technical controls:

• Firewalls
• Secure Configuration
• User Access Control
• Malware Protection
• Patch Management.

Cyber Essentials arms UK businesses with a simple playbook for cyber security. It reduces the risk of breach by up to 92%, provides free cyber insurance for UK businesses with under £20m turnover, and is required for many tenders in both the government and private sector. Consequently, it is the certification that most UK SMEs start with.