Cyber Essentials 2026 and SaaS MFA gaps: are your controls ready?

TL;DR: Cyber Essentials 2026 will widen compliance scope to any cloud service accessed with a business email or account, and require MFA to be enforced wherever it is available, according to Push Security. The shift exposes shadow apps, ghost logins, and incomplete app visibility as governance failures, not just audit issues.

NHIMG editorial — based on content published by Push Security: Cyber Essentials 2026 changes and what they mean for cloud access governance

Questions worth separating out

Q: How should security teams handle SaaS apps that users access outside SSO?

A: Treat them as in-scope identity assets, not exceptions.

Q: Why do ghost logins create risk even when SSO is protected by MFA?

A: Because the secure SSO route does not eliminate the weaker local route.

Q: What breaks when auditors find an app you did not know existed?

A: Your attestation evidence breaks first, because you can no longer prove the full in-scope population.

Practitioner guidance

• Map real SaaS usage against the certification boundary Capture browser-observed app usage, then reconcile it with your declared in-scope cloud list.
• Eliminate duplicate login paths where SSO is mandatory Identify accounts that still allow local passwords alongside federated access, then remove the weaker path or force the stronger one.
• Validate MFA at the application layer, not just the IdP Check whether each SaaS service enforces MFA for every user, every subscription tier, and every login method.

What's in the full article

Push Security's full article covers the operational detail this post intentionally leaves for the source:

• Browser-based discovery logic for finding self-adopted SaaS apps and hidden login paths
• How Push identifies MFA status at both the IdP and local application level
• What its browser agent checks for weak, breached, and reused passwords
• How contractor deployment works in a dedicated browser profile without managed endpoints

👉 Read Push Security's analysis of Cyber Essentials 2026 identity and MFA changes →

Cyber Essentials 2026 and SaaS MFA gaps: are your controls ready?

Explore further

View Full Forum →  |  NHI Foundation Course →