From 27 April 2026, significant operational updates to the UK’s Cyber Essentials scheme will come into force. While the five core technical controls remain unchanged, the way they are assessed has tightened. Requirements are clearer, enforcement is stricter and ambiguity has been removed.
For SRA-regulated practices, these changes are particularly relevant. Although Cyber Essentials is not a mandatory regulatory requirement, the updated framework closely reflects the governance, risk management and data protection standards that law firms are already expected to maintain.
For firms holding or considering Cyber Essentials as part of a broader security strategy preparation should begin now.
Why Cyber Essentials Matters for Law Firms
The SRA Codes of Conduct do not specifically require Cyber Essentials certification. However, they do impose clear obligations around risk management, governance and client data protection.
Section 2.5 of the Code of Conduct for Firms requires firms to:
“Identify, monitor and manage all material risks to your business.”
Cyber risk is undoubtedly a material risk in modern legal practice.
Section 2.1 further requires firms to:
“Have effective governance structures, arrangements, systems and controls in place.”
In addition, firms must comply with UK GDPR and protect personal data against unauthorised access, loss, destruction or damage.
The Law Society has repeatedly highlighted the vulnerability of law firms to cyber crime. Legal practices hold highly sensitive information including client identities, banking details, transaction funds and confidential documents making them consistent targets for phishing, ransomware and account compromise.
In this context, Cyber Essentials for law firms provides a structured, government-backed baseline for demonstrating effective cyber governance.
What Is Changing in April 2026?
The April 2026 update introduces a new question set (known as Danzell) and tighter marking criteria. The five core control areas remain:
- Firewalls and internet gateways
- Secure configuration
- User access control
- Malware protection
- Security update management
However, assessment requirements are now more precise, particularly in the following areas.
1. The 14-Day Patch Requirement
All critical and high-risk security updates must be applied within 14 days of release.
This applies to:
- Operating systems
- Applications and extensions
- Routers and firewalls
- Network devices
Failure to meet this requirement will result in automatic assessment failure.
For law firms, this aligns directly with SRA expectations around managing material risks. Unpatched vulnerabilities represent known and preventable risks to client data. Informal patching cycles or delayed updates are no longer defensible under the scheme.
Structured, automated and documented patch management processes are essential.
2. Mandatory Multi-Factor Authentication (MFA)
From April 2026, MFA is mandatory for all cloud services where it is available.
This includes Microsoft 365, Azure, Google Workspace and most cloud-based case management platforms. Partial implementation is not sufficient.
Given the prevalence of email-based fraud and account compromise in the legal sector particularly in conveyancing and financial transactions strong authentication is critical.
The Law Society identifies weak passwords and poor access controls as common vulnerabilities. MFA significantly reduces the risk of unauthorised access and is now considered baseline security rather than enhanced protection.
For firms reviewing Cyber Essentials for law firms, full MFA coverage should be treated as a priority.
3. Cloud Services Fully in Scope
For the first time, Cyber Essentials formally defines cloud services and makes clear they cannot be excluded from assessment scope.
Any cloud service storing or processing organisational data must be included. This includes:
- Cloud-hosted case management systems
- Document management platforms
- Finance and HR systems
- Identity and authentication services
While cloud providers may secure their infrastructure, responsibility for configuration and access control remains with the firm under the shared responsibility model.
From a regulatory perspective, outsourcing infrastructure does not remove accountability. SRA-regulated firms remain responsible for protecting client data, regardless of where it is hosted.
4. Clearer Scope and Governance Requirements
The updated scheme requires firms to clearly define:
- What systems are in scope
- Which legal entities are included
- How excluded systems are segregated
This emphasis on documentation aligns with regulatory expectations around governance structures and internal controls.
For COLPs and compliance officers, clarity of scope reduces risk and strengthens defensibility in the event of regulatory scrutiny.
Maintaining Competence and Training
The SRA Code of Conduct also requires firms to ensure managers and employees remain competent and keep professional knowledge up to date.
Cyber security awareness is therefore part of professional competence.
The Law Society recommends:
- Training staff to recognise phishing
- Implementing secure password practices
- Managing remote working risks
- Avoiding insecure devices and unsafe applications
Technology controls alone are insufficient. People remain a critical component of effective cyber resilience.
When Things Go Wrong
If a breach occurs, firms have clear regulatory obligations.
The SRA requires transparency with affected clients and prompt reporting of serious breaches. Firms may also need to notify:
- The Information Commissioner’s Office (ICO)
- Their Professional Indemnity Insurer
- Relevant regulatory bodies
Having documented controls, risk assessments and structured governance processes in place helps demonstrate that reasonable steps were taken to manage risk.
This is where Cyber Essentials for law firms can support a defensible compliance position.
Preparing for April 2026
Existing certificates remain valid until expiry. However, any renewal after 27 April 2026 will be assessed against the updated requirements.
Law firms should now:
- Review patch management processes for 14-day compliance
- Confirm MFA is enabled across all cloud services
- Map and document all systems in scope
- Conduct a formal cyber risk assessment
- Assign clear governance responsibility for cyber security
Preparation well in advance of renewal reduces the risk of delays or failed assessments.
Final Thoughts
Cyber Essentials is not mandated by the SRA. However, the April 2026 updates bring the scheme closer to the standards regulators already expect from modern legal practices.
For law firms handling sensitive client data, security must be measurable, documented and consistently enforced. Cyber Essentials for law firms provides a structured framework for demonstrating effective risk management and governance.
If your firm is reviewing certification, planning a renewal, or strengthening its cyber security in line with SRA expectations, specialist support can make the process clearer and more efficient. As managed IT specialists for law firms, we work exclusively with the legal sector to align technical controls with regulatory obligations ensuring security is both practical and compliant.
