IASME has confirmed that from April 2026, all cloud services used to store, process, or access organisational data will be fully in scope for Cyber Essentials. For solicitors, this means platforms such as Microsoft 365, case‑management systems, document portals, and other hosted services will be assessed to the same standard as your local devices and network.

This update places greater emphasis on understanding how your cloud services are configured, secured, and accessed. Even when a provider manages the underlying infrastructure, your firm remains responsible for ensuring secure use of the service — including access controls, MFA, and appropriate governance. With renewals approaching, now is the ideal time to review your cloud estate and confirm that each service meets the updated requirements.

From April 2026, Cyber Essentials will require Multi‑Factor Authentication (MFA) for all users and administrators of cloud services, wherever MFA is supported. For solicitors, this applies to platforms such as Microsoft 365, case‑management systems, document portals, and any other cloud‑based tools handling client or operational data. Password‑only access will no longer meet the standard.

The update places greater emphasis on consistent enforcement. Firms must ensure MFA is enabled for every account, including partners, fee‑earners, support staff, and external users. With renewals approaching, now is the ideal time to review your cloud platforms and confirm MFA is fully in place ahead of the April 2026 assessment changes.

Under the April 2026 Cyber Essentials requirements, organisations must patch:

• All vulnerabilities rated CVSS 7.0 or higher
• Within 14 days of a fix being released

This threshold covers High and Critical severity vulnerabilities according to the Common Vulnerability Scoring System (CVSS). These are the types of weaknesses most likely to be exploited in real‑world attacks, which is why Cyber Essentials now enforces a strict remediation window.

The requirement applies to:

• Operating systems
• Applications
• Cloud services (where patching is within your control)
• Network devices, including firewalls and routers

This aligns with the broader shift in the scheme toward more mature, measurable vulnerability management.

From April 2026, Cyber Essentials will require firewall and router firmware to be updated within 14 days whenever a high‑ or critical‑severity vulnerability is identified. This brings network devices firmly into the same patching expectations as operating systems and applications.

For organisations, this means moving from occasional firmware updates to a more structured process that ensures your boundary defences are always current and supported. With renewals approaching, now is a good time to review your firewall estate and confirm that update procedures are in place ahead of the April 2026 changes.

From April 2026, Cyber Essentials will only accept Windows 10 devices that are covered by Microsoft’s Extended Security Updates (ESU). Once mainstream support ended in October 2025, any Windows 10 machine without ESU have been treated as an unsupported operating system and will fall out of scope for certification.

For organisations, this means reviewing all remaining Windows 10 laptops and desktops and deciding whether to upgrade, replace, or enrol them into ESU. With renewals approaching, now is the time to plan your transition to ensure your device estate remains compliant under the updated standard.

From April 2026, Cyber Essentials will require all personal (BYOD) devices used to access organisational data to meet the same security standards as firm‑owned equipment. This includes personal mobiles, tablets, and laptops used for email, case‑management access, or document handling.

For organisations, this means informal or unmonitored use of personal devices will no longer be acceptable. Firms will need clear policies and assurance that every device accessing client or operational data is secure and supported. With renewals approaching, now is the time to review your BYOD arrangements and ensure they align with the updated requirements.

From April 2026, Cyber Essentials will introduce tighter governance around administrator accounts and firewall rule changes. Firms will need clear, documented processes showing how admin access is granted, reviewed, and removed, along with formal approval steps for any changes to firewall configurations.

For organisations, this means informal or ad‑hoc IT practices will no longer meet the standard. Stronger oversight, proper documentation, and regular reviews will be essential to demonstrate compliance. With renewals approaching, now is a good time to ensure your governance processes are up to date and fully aligned with the new requirements.