At the end of April 2026, tighter security requirements came into effect for the UK’s Cyber Essentials certification scheme. The updated standard introduced two significant changes: high-risk vulnerabilities must now be patched within 14 days, and multi-factor authentication is mandatory for all cloud services. Both changes address a persistent problem. Many attacks still happen simply because basic security controls are missing or poorly implemented, writes Jon Abbott, CEO and Co-Founder, of the platform ThreatAware.
As a result, the updated requirements raise the bar on asset visibility and threat prioritisation, making it harder to ignore the weaknesses that attackers exploit first.
The visibility problem behind most breaches
Put simply, organisations cannot patch vulnerabilities they don’t know exist. The 14-day patching window starts the moment a critical flaw is announced, regardless of whether you’ve identified where it sits in your infrastructure. Meeting that deadline requires maintaining an accurate, current inventory of every device, software package and version across your estate.
Many businesses lack this information in any reliable form. Asset registers go stale within weeks of being compiled. Spreadsheets contain gaps where devices were never recorded in the first place. Meanwhile, shadow IT brings in devices and applications that bypass official procurement and never make it onto any list.ย So, when a vulnerability announcement triggers the 14-day clock, teams could spend most of that time hunting for affected systems instead of patching them, and by the time they’ve built a complete picture, the window has closed.
Poor asset visibility turns the 14-day requirement into a compliance failure waiting to happen. Without knowing what you have, where it lives and what state it’s in, you’re left guessing which systems need attention.
Indeed, the new rule demands continuous visibility, not periodic audits carried out when someone remembers. Patching processes that work well for managed devices fall apart when faced with the unknown ones. Laptops that haven’t checked in for weeks, forgotten virtual machines spun up for a project last year, and contractor devices accessing systems under BYOD policies. ย These are the blind spots where vulnerabilities hide, and where attackers look first.
MFA and the cloud services blind spot
Mandatory multi-factor authentication for all cloud services addresses another major weakness. On the surface, enabling MFA looks straightforward: tick the box, job done. In reality, the requirement highlights how little visibility many organisations have into their cloud attack surface.
Cloud services proliferate differently to traditional IT infrastructure. This happens when employees sign up for SaaS applications using work email addresses or departments adopt new tools without going through the official procurement processes. Free trials turn into paid subscriptions nobody tracks which then disappear under the radar. Each service represents an account, and each account is a potential entry point.
The updated MFA requirement presents what may seem like some uncomfortable questions. Which cloud services are we using? Who has access? Are accounts tied to current employees or people who left months ago? Do we have the administrative access needed to enforce MFA everywhere, or have we lost control of informally set-up accounts?
Implementing mandatory MFA becomes an exercise in discovery for organisations with poor visibility. Compile a list of services, realise it’s incomplete, reach out to departments and find tools you didn’t know existed. Review access logs and discover unidentified accounts. Only then can you enable MFA where it needs to be. Without visibility into your cloud estate, you can’t manage access policies, monitor suspicious activity or control how data is stored and shared. The MFA requirement makes this blind spot impossible to ignore.
Asset visibility as the foundation
Both the 14-day patching rule and the mandatory MFA requirement depend on knowing what you’re protecting. Every device, account and service needs to be identified, categorised and monitored. Assets change constantly, new devices connect to 365 or G-suite, software gets updated or replaced, cloud services are adopted and abandoned.
Organisations that have neglected asset visibility face a gap that can feel overwhelming, but the tools exist to solve this problem. Cyber asset attack surface management platforms provide continuous visibility across on-premise and cloud environments in real time by identifying devices, software and services as they appear. This turns compliance from a reactive scramble into something manageable and ongoing.
Cyber Essentials hasn’t become harder because threats are more sophisticated. The basics have always mattered. These updates place a spotlight on asset visibility because this is what underpins everything else.
