Cyber Essentials Plus in 2026: Strengthened Controls, UK Cyber Reality & How Qualys Supports Compliance

Key Takeaways

• CE+ 2026 Updates: Effective April 2026, Cyber Essentials Plus requires stronger technical proof of control effectiveness, mandatory MFA, and tighter patching windows.
• Cloud and Identity in Scope: Audits now explicitly include cloud services and identity configurations, demanding comprehensive visibility.
• UK Government Data: Recent government surveys show 82% of UK businesses experienced a cyber incident, underscoring the need for proven frameworks like CE+.
• Qualys for Compliance: The Qualys Enterprise TruRisk™ Platform provides end-to-end capabilities for asset management, vulnerability detection, and automated remediation to meet new CE+ requirements.

In April 2026, the UK’s Cyber Essentials Plus (CE+) scheme enters a significant evolution. The latest update shifts the focus from paperwork to measurable, operational security — forcing organisations to prove controls are working, not just documented. At the same time, recent UK Government research paints a sobering picture of cyber risk prevalence and organisational behaviour change. Together, these trends underscore why CE+ readiness is about more than certification — it’s about resilience in an increasingly hostile landscape.

In this post, we unpack the CE+ changes, ground them in UK Government research, and show how the Qualys Enterprise TruRisk™ Platform aligns to help organisations succeed.

---

Join us at ROCon EMEA to discuss the CE+ changes with Qualys experts and your peers.

---

Why CE+ Is Getting Tougher

The version 3.3 (Danzell) update to CE+ (effective for assessments created on or after 27 April 2026) places sharper emphasis on:

• Real technical evidence of control effectiveness
• Cloud and identity scope compliance
• Tighter patching windows
• Mandatory control enforcement vs optional configuration

This shift toward technical assurance over narrative responses reduces ambiguity for auditors and improves cyber baseline maturity.

UK Government Cyber Guidance: Risk Reduction, Backed by Data

The UK Government’s recent “lock the door on cyber criminals” campaign highlights the real business impact of cyber risk — and the value of getting the basics right. It calls out that Cyber Essentials “works”, including a major reduction in insurance claims for organisations with certification.

This government framing positions CE+ as a risk‑mitigation framework tied to measurable outcomes.

Reality Check: Cyber Incidents Are Prevalent and Persistent

Findings from the Cyber Security Longitudinal Survey – Wave Five — the UK Government’s multi‑year study of medium and large organisations — provide hard evidence of cyber risk and control behaviour:

• Around eight in ten businesses (82%) and charities (77%) experienced a cyber incident in the last 12 months.
• Cyber Essentials adoption is rising, with Wave Five showing 30% of businesses reporting adherence to Cyber Essentials (up from 23% in Wave Four).
• A sizeable chunk still adhere to none of the standards (Cyber Essentials, CE+, ISO 27001) — 37% of businesses and 41% of charities in Wave Five.
• The report explicitly flags a reactive pattern: many organisations change behaviour after an incident rather than ahead of one.

In short: incidents are common, the basics help, and organisations still leave far too much to chance.

Key Changes in CE+ 2026 — What Organisations Must Show

Here’s where the new CE+ standard really strengthens technical evidence and control enforcement:

Mandatory MFA Wherever Supported

Previously, an auditor might note MFA gaps as an observation or require remediation within a timeframe. Under Danzell, if MFA is supported by a cloud service and it isn’t enforced across all user accounts — not just privileged accounts — the assessment is an automatic fail. No compensating controls. No auditor discretion. Fail. This is the shift from ‘best practice’ to ‘mandatory requirement’ that catches organisations off guard. 

Cloud Services and Identity Configurations Are In Scope

Cloud endpoints, SaaS platforms, and identity configurations must be included in the audit scope — and validated with live evidence.

Tighter Expectations Around Patching

The 14-day patching window is now a hard SLA. If a vulnerability fix has been available for more than 14 days and hasn’t been applied to an in-scope asset, that’s an automatic fail — regardless of your risk acceptance process, change board backlog, or compensating controls.

Live Technical Proof Over Static Policies

CE+ assessors will verify configurations and control status in live systems — screens, logs, and system state — moving beyond static policy checklists.

Random Re-Sampling: No More “Fix the Sample, Pass, Forget”

Previous CE+ audits tested a defined sample of assets. Savvy (or cynical) organisations could focus remediation on the sample set and leave the rest of the estate untouched. Danzell closes that loophole. Auditors can now randomly re-sample during remediation to verify that fixes have been applied organisation-wide, not just on the devices that were originally tested. This means your compliance posture needs to be real and continuous, not staged for audit day. Point-in-time fixes are over.

How Qualys Maps to CE+ 2026 Requirements

CE+ is about more than identifying gaps — it expects you to find them, fix them, and prove it. The Qualys Enterprise TruRisk Platform is the most direct accelerator for that outcome.

1) CyberSecurity Asset Management (CSAM) + EASM — Scoping Without Guesswork

With assessors now free to randomly sample assets from within your scope, understanding that scope has never been more important.  Your assessor is going to ask what you know about your external perimeter, and for you to demonstrate that you are using supported software and operating systems.

Cyber Essentials doesn’t mandate asset management as a control, but with the refinement of public web application scoping and cloud inclusion, plus the requirement to use only supported software and operating systems, a reliable inventory is no longer optional in practice. You can’t defend scope if you can’t see the estate.

Qualys CyberSecurity Asset Management (CSAM) provides internal discovery and inventory across environments, and with External Attack Surface Management (EASM) it adds an outside‑in view of internet‑facing assets — continuously monitoring external exposure and flagging newly discovered or unknown assets, web applications, and APIs.

CE+ payoff: tighter scope definition, fewer surprises during assessment, and stronger assurance that internet-connected assets (internal and external) aren’t hiding in the weeds, with evidence of software and operating system support lifecycles to show compliance.

2) Qualys VMDR — Continuous Vulnerability Management with Audit-Ready Evidence

CE+ expects you to identify vulnerabilities across the in-scope estate, remediate within the required window, and prove you did it. Qualys VMDR (Vulnerability Management, Detection & Response) supports that end-to-end by continuously assessing assets, prioritising remediation based on risk, and maintaining an evidence trail you can take into a CE+ assessment. VMDR offers:

• Continuous vulnerability detection across endpoints, servers, and hybrid environments
• Prioritisation to focus teams on what matters most (not what’s loudest)
• Reporting that supports “show me” conversations with assessors — including remediation status over time

CE+ payoff: a simpler path to meeting the CE+ patching expectation, with clear evidence from discovery through to closure.

3) TruRisk Eliminate — Turning “Vulnerability Fixes” Into Action

CE+ uses the term “vulnerability fixes” deliberately — and it’s broader than “patches.” The CE+ test specification defines vulnerability fixes as patches, updates, registry fixes, configuration changes, scripts, or any other vendor-prescribed mechanism.

That definition is essentially a description of what TruRisk Eliminate is built to do: map vulnerabilities to the right remediation and operationalise the fix path — including patches and configuration changes (and the broader mitigation workflow when patching isn’t immediate).

CE+ payoff: faster remediation, fewer “we’ll get to it” gaps, and a cleaner evidence trail showing the loop from detection → action → closure.

4) Policy Audit — Proving “Secure Configuration” Instead of Asserting It

With the greater emphasis on technical validation and the inability to pre-select your assessment scope, continuous configuration assurance becomes a critical piece of the CE+ compliance puzzle. Qualys Policy Audit is purpose-built to automate control assessment and evidence collection for Cyber Essentials, validating system configuration against defined benchmarks and streamlining audit-ready reporting.

For CE+ specifically, you can align policy coverage to the major platforms you’ll be asked to evidence — typically Windows, Linux, network devices, and databases — so you’re not scrambling to prove secure baseline settings on the day.

CE+ payoff: evidence you can hand to an assessor with confidence, and fewer “policy says X, system does Y” moments.

5) TotalCloud — Cloud Inventory + Compliance Evidence

CE+’s cloud emphasis means you need two things: cloud visibility and proof of control enforcement for cloud security compliance.

Qualys TotalCloud is the CNAPP layer that unifies posture and workload coverage, giving you the inventory and continuous assessment you need for cloud-heavy scope.

As the recent recognition as a Leader in the 2026 Forrester Wave for CNAPP shows, with the write-up calling out breadth across CSPM/CIEM-style use cases and platform coherence, Qualys can ensure that your Cloud Security coverage for CE+ is complete and evidenced.

CE+ payoff: a defensible view of cloud services in scope, evidence of misconfiguration control, and an easier story when assessors probe “show me” questions.

6) TotalAppSec — Public-Facing Apps/APIs, Posture Visibility, and Secure-by-Design Momentum

Many organisations’ real exposure is their public-facing web applications and APIs — and the scheme references secure development expectations, including alignment to the UK’s Software Security Code of Practice.

Qualys TotalAppSec addresses the operational side of that: it discovers applications and APIs across on-premises and cloud-hosted environments and unifies web + API security posture so you can measure and improve where it counts.

CE+ payoff: better visibility of externally exposed applications, stronger evidence of application security testing posture, and a cleaner bridge to “secure development practices” expectations.

Turning Insights into Action: A Practical Readiness Roadmap

1. Assess your current state: Use readiness tools and Qualys’ inventory to determine scope and gaps.
2. Enable and verify MFA: Identity controls are now as important as firewalls and patching.
3. Implement continuous vulnerability workflows: Automated detection, prioritisation, and proof of remediation matter.
4. Build audit evidence early and maintain it continuously: Live control measurements with Qualys deliver audit‑ready artifacts.
5. Embed in governance: Longitudinal survey findings show a reactive trend — pre-empt it and treat CE+ as planned operational assurance, not a post-incident scramble.

Conclusion: From Compliance to Confidence

The 2026 Cyber Essentials Plus update moves the bar — not for complexity, but for real‑world effectiveness. It reflects both government priorities and the lived experience of UK organisations dealing with persistent cyber incidents. Compliance is no longer “answer the questions and hope,” but demonstrate the controls are working.

With integrated visibility, automated validation, and evidence‑centric reporting, Qualys helps organisations not just pass CE+ audits but improve their security posture in measurable ways — and that aligns neatly with the UK Government’s push to “lock the door” using practical controls that are proven to reduce harm.

Ready to See Where You Stand?

If you’re planning a CE+ assessment after April 2026, the time to prepare is now — not the week before your audit window opens.

Book a free Cyber Essentials Gap Assessment with a Qualys Solution Architect. We’ll map your current estate against the Danzell requirements and show you exactly where the auto-fails live — before your auditor does.

---

Request Your Free Gap Assessment.

---

Or if you’d prefer to explore the platform first: [Request a Qualys Demo →]