Close
About
IT Support
Microsoft 365 Business
Managed Services
Cloud Services
IT Consultancy
Insider Knowledge
Articles
Referrals
Speak to an Expert
Blue curved vector shape
26 Mar 2026

Cyber Essentials is Changing This April – What Small Businesses Need to Know

If your business holds Cyber Essentials or you’re planning to get certified, some important changes are coming into force at the end of April.

The good news?

This isn’t a complete overhaul.

The reality?

The bar is being raised, and some of the things that were previously “nice to have” are now mandatory.

Here’s what it means for you, in simple terms.

What’s actually changing?

From 27th April 2026, any new Cyber Essentials assessment will be based on an updated standard.

The core principles stay the same, but the expectations are tighter, clearer, and more strictly enforced.

In short:

👉 Less interpretation

👉 More proof

👉 Fewer shortcuts

The key changes

1 - Multi-Factor Authentication (MFA is now non-negotiable)

If a system supports MFA, you must turn it on.

That includes:

  • Microsoft 365
  • Email systems
  • Remote access (VPN, RDP, etc.)
  • CRM and cloud apps

If MFA is available but not enabled, you will fail.

2 - All cloud services are now in scope

If your business uses:

  • Microsoft 365
  • Google Workspace
  • Cloud accounting systems
  • Any SaaS platform

👉 You are responsible for securing it

3 - Patching must happen within 14 days

If acritical or high-risk security update is released, you now have:

👉 14 days to apply it or you fail

This applies to:

  • PCs and laptops
  • Tablets and Smartphones
  • Servers
  • Firewalls
  • Applications

4 - Everything connected to your data is in scope

This is one of the biggest shifts.

It’s no longer just “office IT”.

If a device can access your business systems or data, it counts. That includes:

  • Home working devices
  • Personal phones checking email
  • Tablets accessing Teams or SharePoint
  • Any device logging into cloud services

👉 If it touches your data, it’s in scope.

New focus: Controlling access from all devices

This is where many small businesses will feel the biggest impact.

Cyber Essentials does not explicitly mandate full device management (MDM) but it does require you to demonstrate control.

You must be able to answer questions like:

  • How do you ensure devices accessing your data are secure?
  • How do you stop company data from being copied to personal apps?
  • What happens if a device is lost or compromised?

If the answer is “we trust our users” - that’s no longer enough.

Why MAM is becoming essential for SMEs

For most small businesses, the practical answer is Mobile Application Management (MAM).

Rather than managing the entire device, MAM focuses on protecting the company data inside apps.

In a Microsoft 365 environment, that typically means:

  • Outlook and Teams are protected by policy
  • Company data can’t be copied into personal apps
  • Data can be wiped without affecting personal photos or apps
  • Access is conditional (e.g. blocked if the device is risky)

👉 This gives you control without being intrusive

MAM vs MDM (simple view)

  • MDM (Device Management): Full control of the device (used for company-owned kit)
  • MAM (App Management): Control of company data within apps (ideal for mixed/BYOD environments)

What “good” now looks like

A typical compliant small business setup will look like:

  • Company laptops fully managed and patched
  • MFA enforced across all systems
  • Mobile access controlled via MAM policies
  • Personal devices allowed but only through secured apps
  • Conditional Access protecting logins

👉 In reality, MAM is quickly becoming the minimum standard for businesses that allow mobile or remote access.

What gaps are we seeing in real businesses?

Here’s where most small businesses will fall short:

🚩 MFA gaps

  • Only admins protected
  • Some apps left unsecured

🚩 Patch management issues

  • No consistent update process
  • No reporting or visibility

🚩 Unmanaged devices

  • Staff using personal devices freely
  • No control over how data is accessed

🚩 Cloud assumptions

  • Belief that “Microsoft handles security”
  • No review of permissions or sharing

🚩 No data control on mobile

  • Emails and files accessible on personal devices
  • No way to remove company data

👉 This is the big one and where MAM closes the gap.

Final thought

Cyber Essentials is still designed to be achievable — especially for SMEs.

But the direction is clear:

👉 Security must be consistent — not occasional

👉 Access must be controlled — not assumed

👉 And everything must be provable

Most importantly:

It’s no longer just about securing devices,

it’s about securing how your data is accessed.

For many small businesses, that’s exactly where MAM is now playing a critical role.

More Knowledge

All Articles
Industry Knowledge
Recover Value from Your End of Life IT Assets
Have you got a stockpile of old equipment thats collecting dust and occupying valuable office space? FOS.nets strategic partnership with N2S offers a …
Read More
Industry Knowledge
Your Biggest Cyber Risk Isn’t Hackers - It’s Humans
Most small business owners imagine cyber breaches as sophisticated “Hollywood-style” hacks. In reality, most incidents start far closer to home.
Read More
Guides
Optimising IT Hardware Procurement with FOS.net
IT hardware procurement is a significant annual IT expense for many small businesses, requiring effective management to ensure smooth operations and …
Read More

Unit H, The Business Centre, Faringdon Avenue,
Romford, Essex, RM3 8EN.

Our Terms of Service

  • © FOS.net | All Rights Reserved
Empowered by COLONY Web Solutions
FOS.net logo dark