The updated requirements place greater emphasis on multi-factor authentication and bring cloud services clearly into scope. If your golf club is certified — or considering certification — it’s important to understand what’s changing and how it may affect your next assessment.
From 27 April 2026, all new Cyber Essentials assessments will be conducted under the updated requirements (version 3.3). While this isn’t a complete overhaul of the scheme, it does tighten expectations in several key areas.
For golf clubs, the changes are more about clarity and consistency than introducing brand-new controls.
Multi-Factor Authentication Becomes Mandatory Where Available
Under the updated requirements, if a cloud service supports Multi-Factor Authentication (MFA), it must be enabled. Failure to do so will result in a failed assessment.
For clubs using Microsoft 365, booking systems, or cloud-based finance platforms, this will be particularly relevant.
The updated guidance removes ambiguity around cloud platforms. If your club uses cloud services for email, tee bookings, accounting, CRM, or payment processing, they are within scope of the assessment.
This reflects the reality that most golf clubs now operate in a cloud-first environment.
The terminology around what counts as in-scope IT infrastructure has been clarified. This includes devices used for remote access and administrative functions.
For clubs, this means greater clarity around which systems and users must be included in certification.
The updated version aims to ensure assessments are applied consistently across organisations.
This reduces grey areas and makes expectations clearer for clubs preparing for certification.
In practical terms, the 2026 updates reinforce good baseline security:
MFA enabled on all supported systems
Clear visibility of devices and users
Cloud platforms properly included in scope
Structured access control
The scheme remains a baseline standard — but one that reflects modern working practices.
If your club is already certified, it’s worth reviewing your current controls against the updated expectations well before your next renewal date.
If you’re considering Cyber Essentials for the first time, understanding the 2026 requirements now will make the process smoother.
Cyber Essentials continues to provide a clear, recognised benchmark for golf clubs seeking structure, assurance and resilience.
If you’d like help with anything covered in this blog — or any other cyber security concern at your club — you can book a free, no-obligation chat with me anytime.