Cyber Essentials Requirements 2026

1. The Montpellier scheme, current as of January 2023, is the requirements framework for all CE assessments in 2026.
2. All five controls must be met across every system within scope. Partial compliance does not achieve certification.
3. MFA must be enforced on all internet-facing accounts without exception, including Microsoft 365, Google Workspace, VPN, remote access, and web-based email.
4. Windows 10 reached end of support in October 2025. Devices still running it are already out of CE compliance.
5. The 14-day patch window applies to everything on in-scope devices: OS updates, third-party applications, browser plugins, and firmware.
6. CE+ does not apply different requirements. It applies the same requirements with independent technical verification instead of self-assessment.

Cyber Essentials is assessed against the Montpellier scheme requirements. Montpellier replaced the earlier Willow scheme in January 2022 and was updated again in January 2023. The 2023 update is the version in force for 2026 assessments.

The changes introduced in 2023 reflected how organisations actually operate now: cloud-first infrastructure, distributed workforces, and personal devices accessing work systems. The most significant single change was making MFA mandatory for all internet-facing accounts. The IASME scoping guidance and the NCSC's Cyber Essentials Requirements for IT Infrastructure document are the authoritative sources. This article interprets and explains those requirements; organisations should review the current specification directly before assessment.

The scope boundary defines which systems, devices, and users the certification covers. Every device and service within that boundary must meet all five CE controls. Scope definition is where most first-time applicants run into problems, because the Montpellier scheme is explicit about cloud services and personal devices in ways the earlier scheme was not.

What is in scope by default

1. All end-user devices that can access internet-facing services: laptops, desktops, tablets, and smartphones, whether organisationally owned or personally owned if used for work.
2. All servers where the organisation manages the operating system and software configuration, including on-premises servers, cloud-hosted virtual machines, and containers.
3. Network devices that form the boundary between the organisation's network and the internet, and those within the internal network: routers, switches, firewalls.
4. Cloud services where the organisation controls the configuration above the infrastructure layer: Microsoft 365 tenancies, Google Workspace tenancies, and AWS or Azure instances with organisation-managed operating systems.

Cloud services: scope follows control

This is the most frequently misunderstood aspect of current CE requirements. The principle is straightforward: if your organisation configures and manages a service, it's in scope. If a service's infrastructure and configuration is entirely controlled by the provider, the underlying infrastructure may be out of scope. But the key word is infrastructure.

1. In scope: your Microsoft 365 tenancy, including Exchange Online, SharePoint, Teams, and the associated Azure Active Directory or Entra ID configuration. Your organisation controls account provisioning, MFA policy, conditional access, and device management settings within M365. That configuration is in scope.
2. In scope: AWS EC2 instances where your organisation manages the operating system and installed software.
3. Potentially out of scope: SaaS applications where the provider manages all infrastructure, OS, and patching. But your configuration of accounts, MFA enforcement, and data access controls within those platforms may still fall within CE requirements.
4. When in doubt: include the service in scope and verify controls are met. Excluding a service and later finding it should have been included creates a gap that may invalidate certification.

BYOD and home-working devices

Personally owned devices that access organisational systems may be in scope. The Montpellier scheme is explicit: if a personal device directly accesses in-scope work services, and no technical control prevents that direct access, the device may fall within scope.

Three practical approaches exist.

1. First, include BYOD devices in scope and verify they meet all five controls. This requires visibility and management capability over personal devices the organisation may not have.
2. Second, implement a technical control such as Virtual Desktop Infrastructure or a browser-based access solution that means the personal device never directly accesses in-scope systems. In that scenario, the personal device itself may be excluded.
3. Third, prohibit BYOD access to in-scope systems entirely and enforce that prohibition technically.

Organisationally owned devices used for home working are in scope and must meet all five CE requirements, including personal firewalls.

The requirements below are current as of the January 2023 Montpellier update. For implementation guidance on each control, see the 5 Cyber Essentials controls guide.

Firewalls

The firewall requirement covers both the network boundary and individual devices. The default posture must be to block: all inbound connections not explicitly permitted must be denied.

1. A boundary firewall must protect all systems within scope from the internet.
2. All inbound connections not explicitly required must be blocked by default.
3. Firewall rules must be documented, specific, and as restrictive as the service requires. Rules permitting unrestricted inbound access to services that could be restricted are not acceptable.
4. Default credentials on all firewall and network devices must be changed.
5. Administrative interfaces on firewall and network devices must not be accessible from the internet unless through a separately protected mechanism.
6. Personal firewalls must be enabled on all devices that connect to untrusted networks: laptops used at home, on public Wi-Fi, or anywhere outside the organisation's protected office network.

Secure Configuration

In-scope devices and software must be configured to reduce attack surface. Remove what isn't needed, disable what isn't used, change what arrived as a default.

1. All in-scope systems must run only software currently supported by its vendor and still receiving security updates.
2. Unnecessary user accounts, services, and software must be removed or disabled.
3. Default passwords on all software, hardware, and services must be changed before deployment.
4. Devices must be configured to lock automatically after a period of inactivity.
5. Auto-run from removable media and network locations must be disabled.

User Access Control: Including the MFA Requirement

The 2023 Montpellier update made MFA mandatory. This is the most significant change from the previous scheme version and the one most likely to require remediation work for organisations assessing for the first time.

1. All user accounts must operate on least-privilege principles: users have only the access their role requires.
2. Administrative accounts must be separate from standard user accounts and used only for administrative tasks.
3. Multi-factor authentication must be enforced on all accounts that can access any internet-facing service. This is not optional and does not apply only to accounts the organisation designates as high-risk. It applies to all internet-facing accounts.
4. The MFA requirement covers: Microsoft 365 and other Microsoft cloud services, Google Workspace, web-based email, VPN and remote access solutions, any cloud-hosted application accessible from the internet, and any on-premises application with an internet-facing login page.
5. Password policies must require minimum length and complexity where MFA is not the primary authentication mechanism.
6. A process must exist to disable or remove accounts promptly when staff leave or change roles.

Malware Protection

All in-scope devices must be protected against malware. CE accepts two approaches: traditional anti-malware or application allowlisting.

1. Anti-malware software must be installed on all in-scope devices, or application allowlisting must be in place.
2. If using anti-malware: definitions must update automatically, scanning must be active, and detections must be reviewed and acted on.
3. If using application allowlisting: only approved applications may execute, and unapproved execution must be blocked by policy.

Patch Management

Patch management is the most common CE failure area. The requirement is unambiguous: all software on in-scope devices must be kept up to date, and critical patches must be applied within 14 days of vendor release. CE does not permit extended deployment windows for operational reasons.

1. Critical and high-severity patches must be applied within 14 days of vendor release. The clock starts when the vendor publishes the patch, not when the organisation schedules deployment.
2. The 14-day requirement applies to operating systems, all installed applications, firmware where applicable, and browser plugins and extensions.
3. Any software that no longer receives security updates from its vendor must be removed from in-scope devices. This is an automatic CE failure with no exception.
4. The organisation must maintain sufficient visibility of its software estate to verify patching compliance. A current software inventory is a practical requirement, not optional good practice.

Standard CE and CE+ assess against the same five controls and the same technical requirements. The difference is not in what is required but in how compliance is verified.

Supported software is software for which the vendor is still releasing security updates. The definition is simple; the practical implications catch organisations out.

1. Windows 10 reached end of support in October 2025. Devices still running Windows 10 are already out of CE compliance. Organisations with Windows 10 in scope needed to complete migration to Windows 11 or an alternative supported OS before that date.
2. Third-party applications that have reached end-of-life fail the supported software requirement regardless of whether all other CE requirements are met. This includes legacy versions of widely used applications that are no longer receiving vendor updates.
3. The supported software check applies to firmware on network devices and servers, not only to installed software. Firmware that is no longer receiving updates from the hardware vendor may bring a device out of compliance.
4. There is no grace period. The date a vendor ends support is the date from which that software is out of compliance. There is no CE exception for end-of-life software that is isolated, air-gapped, or deemed low-risk.

Before submitting a CE self-assessment, work through these questions. A "no" or "uncertain" answer is a remediation item, not a question to navigate carefully in the questionnaire.

1. Have all devices in scope been identified and documented, including cloud services and remote-working devices?
2. Is all software on in-scope devices currently supported by its vendor, with security updates still available?
3. Have critical and high-severity patches been applied within the last 14 days across all in-scope systems?
4. Have default credentials been changed on all network devices, hardware, and software?
5. Is MFA enforced for all accounts that can access internet-facing services, including Microsoft 365 and any cloud applications?
6. Are administrative accounts separate from standard user accounts, with no unnecessary admin accounts active?
7. Is anti-malware installed and actively maintained on all in-scope devices, or is application allowlisting in place?
8. Are personal firewalls enabled on all laptops and mobile devices used outside the office network?
9. Do you have a complete, current software inventory for all in-scope devices?

Use the CE certification checklist for a step-by-step walkthrough of each item.