-
From 27 April 2026, version 3.3 of the Cyber Essentials scheme will go live.
-
New requirements introduced.
-
Existing requirements clarified.
Cyber Essentials is a vital part of the UK’s national cybersecurity strategy. It helps organisations protect themselves from the most common cyber threats. For small and medium-sized enterprises (SMEs), it’s also a practical way to demonstrate security maturity to clients and partners.
In this post, we’ll break down what’s changing and how you can prepare.
Why Cyber Essentials Matters More Than Ever
Cyber threats are evolving fast. Attackers are using AI to exploit weaknesses faster than ever before. The National Cyber Security Centre (NCSC) has warned of a growing “cyber security digital divide” between organisations that can defend against these threats and those that cannot.
Cyber Essentials helps bridge that gap. It ensures your business has the right controls in place to protect against phishing, malware, and unauthorised access. It also gives your customers confidence that you take security seriously.
With version 3.3, the scheme is becoming even more relevant to today’s threat landscape.
Key Changes in Cyber Essentials v3.3
The April 2026 update brings several important changes. While some are clarifications, others are significant shifts in how compliance is assessed.
Let’s look at the most important updates:
1. Multi-Factor Authentication (MFA) Is Now Mandatory
From April 2026, MFA will be required for all cloud services that support it. If a service offers MFA—even as a paid add-on—you must enable it. Failing to do so will result in an automatic failure of your assessment.
This change reflects the growing importance of MFA in preventing account takeovers. It’s one of the most effective ways to stop unauthorised access, especially when passwords are compromised.
Action: Review all your cloud services and ensure MFA is enabled for every user.
2. Cloud Services Can No Longer Be Excluded
Cyber Essentials v3.3 introduces a formal definition of “cloud service.” It also makes it clear that cloud services cannot be excluded from your assessment scope.
If your business uses cloud platforms to store or process data, those platforms must be secured and included in your certification.
Action: Audit your cloud usage. Include services like Microsoft 365, Google Workspace, Dropbox, and any Software as a Service (SaaS) tools.
3. Updated Scoping Rules for Devices and Networks
The new version removes vague terms like “untrusted” and “user-initiated” connections. Instead, it defines scope based on internet connectivity.
Any device or service that connects to the internet—or controls data flow to or from the internet—is in scope. If you exclude anything, you must justify it and show how it’s isolated.
Action: Map your network. Identify all internet-connected devices and ensure they meet the required controls.
4. Application Development and Secure Coding
The “Web Applications” section is now called “Application Development.” It points to the UK Government’s Software Security Code of Practice.
While custom-built apps are still out of scope, the guidance encourages secure development practices. This includes code reviews, patching, and secure deployment.
Action: If you develop software, align your practices with the Software Security Code of Practice.
5. Emphasis on Backups and Passwordless Authentication
Backups are now highlighted earlier in the requirements. This change reflects their importance in recovering from ransomware and other incidents.
The update also promotes passwordless authentication methods like passkeys and FIDO2 security keys. While not mandatory, they are encouraged as a future standard.
Action: Review your backup strategy and explore passwordless login options for key systems. We discuss passwordless technology in this blog post.
How to Prepare for Cyber Essentials v3.3
Here’s a checklist to help your organisation get ready for the April 2026 update:
✅ Enable MFA on all cloud services
✅ Include all cloud platforms in your assessment scope
✅ Review and document your network and device scoping
✅ Align any development practices with secure coding standards
✅ Ensure robust, tested backups are in place
✅ Explore passwordless authentication for key users
Start preparing now to avoid last-minute surprises. The earlier you act, the smoother your next assessment will be.
Final Thoughts: Lead with Security
Cyber Essentials v3.3 is more than a compliance update. It’s a signal that cyber security is no longer optional. For smaller organisations, it’s a chance to strengthen defences, build trust, and stay competitive.
By embracing the new requirements, you’re not just ticking boxes—you’re protecting your business from real threats. Make Cyber Essentials part of your 2026 strategy and lead with confidence.
Cyber & Data Protection are able to assess your organisation for Cyber Essentials. Get in touch with us now for more information.
Contact Cyber & Data Protection to discover how our tailored training, cyber security and data protection packages and extensive Cyber Essentials and virtual CISO services can keep your business ahead of the game to help navigate the likely cyber threats in 2026 and maintain compliance.
📧 Email: [email protected]
📞 Call: +44 1743 644404