Clarifying MFA Requirements and Paid Option Implications in Upcoming Cyber Essentials Changes

·Apr 20, 2026 11:46 AM·

Hi all, quick question on the upcoming Cyber Essentials changes, specifically around MFA 🔐 I understand MFA is already required, but the updated wording seems stricter:

“Where MFA is available for a cloud service whether free, included, via integration, or offered as a paid option, and MFA is not implemented, this would result in an automatic failure.”

I’m trying to clarify what “offered as a paid option” really means in practice. Does this imply organisations are expected to upgrade to higher-tier plans purely to enable MFA? In a lot of cases, MFA isn’t included in standard plans and requires a fairly significant cost jump to access it. It would be useful to understand whether that scenario is now effectively mandatory under CE. Appreciate any insight from anyone who’s looked into this, thanks!

2 comments