Patroklos PatroklouOn 27 April 2026, the new Cyber Essentials update (v3.3) comes into force. For UK businesses chasing government contracts, the requirements have become non-negotiable.
The most critical update centers on the 14-Day Patch Rule:
Zero-Tolerance Patching: Any vulnerability marked as “High” or “Critical” must be patched within 14 days of release.
Cloud MFA Requirements: Multi-Factor Authentication is now mandatory for all cloud services that access or store business data.
Authenticated Internal Scanning: CE+ auditors now utilize more rigorous authenticated scans, leaving no room for unmanaged “shadow IT.”
The Enactia Edge: Enactia’s Vulnerability Management Module tracks the “age” of every vulnerability in your estate. It sends automated alerts to IT on day 1 and escalates to compliance on day 10, ensuring you meet the 14-day mandate.
FAQ: Cyber Essentials 2026 Updates
Does the 14-day rule apply to third-party software? Yes. Any software installed on devices in scope must be patched within 14 days if a critical vulnerability is identified.
Is MFA required for guest accounts? Yes. Any account that can access business data must be protected by MFA to pass a Cyber Essentials Plus audit.
What if a patch breaks our legacy systems? You must document the risk and implement compensatory controls. Enactia allows you to record these exceptions and your plan to move to supported systems.
