Cyber Essentials is changing – is your organisation ready?
The annual update to Cyber Essentials applies to all assessments created after April 27th, 2026, and brings with it a number of key changes in the way organisations are assessed. From MFA and patching requirements to updated definitions and CE+ restrictions, find out what’s changed ahead of your assessment.
Key Changes in v3.3
Mandatory MFA on all cloud services – AUTOMATIC FAIL
While multi-factor authentication is already required by Cyber Essentials, the expectation has changed such that where cloud services have MFA available – regardless of whether it is free, included, or a paid add-on – it must be implemented. Not doing so will result in an automatic failure.
14-day patching now a requirement – AUTOMATIC FAIL
Critical and high-severity updates must now be applied within 14 days across your entire estate – including operating systems, applications, and firewall firmware. This has changed from a guideline to an automatic failure if the criteria is not met.
Cloud services have been formally defined, and cannot be excluded
Any service accessed using a business email or account is now in scope by default, including free-tier SaaS tools. Cloud services can no longer be excluded from the assessment scope.
Passwordless authentication recognised
The FIDO2 standard and passkeys are now recognised as valid – and encouraged – authentication methods. Biometrics, hardware tokens, and authenticator apps are all explicitly supported.
Scoping must be defensible
All exclusions from scope must be technically justified with evidence of segregation. Legal entities must be listed, while ambiguous terms like ‘untrusted connections’ have been removed.
These are just the headline changes
To find out more about what the new Cyber Essentials update means for your organisation, get in touch here
Changes specific to Cyber Essentials Plus (CE+)
How we can help
Cyber Essentials assessment and advisory
Our in-house experts have helped over 100 clients successfully pass their Cyber Essentials certification. We assess your environment against the latest changes; identify gaps in MFA, patching, and scope; and provide clear remediation guidance – so you can certify without costly delays or resubmissions.
Managed Detection & Response
Our 24/7 MDR service provides continuous visibility of your vulnerability posture – addressing one of the biggest challenges in CE v3.3. We provide authenticated vulnerability scanning, real-time monitoring of patch status, and rapid threat containment. Our managed exposure analytics prioritise vulnerabilities by asset sensitivity and current threat intelligence, helping you meet the 14-day patch requirement across your entire estate – not just assessed devices.
MFA & identity readiness
Our team can audit every cloud service in use across your organisation, map MFA availability, and guide enforcement – including Microsoft 365, Entra ID, and shadow IT services. We help you move from discovery to compliance ahead of your assessment date, and can advise on adoption of passwordless authentication aligned to the new NCSC guidance.