Cyber Essentials v3.3: What the April 2026 Update Means for Your Organisation
News and information from the Advent IM team.
- by Olivia Lawlor-Blackburn
- Advent IM Blog
The UK’s Cyber Essentials scheme is about to undergo one of its most significant evolutions in years. From 27 April 2026, all new Cyber Essentials and Cyber Essentials Plus assessments will be based on the updated Cyber Essentials v3.3 Requirements for IT Infrastructure, bringing clearer definitions, stricter security expectations, and a renewed focus on cloud‑first organisations.
For many businesses, these changes won’t just refine their security responsibilities — they will fundamentally reshape the way they prepare for certification.
Cloud Services: Fully In Scope
One of the most impactful updates is the requirement that all cloud services storing or processing organisational data must be included in scope. Previous versions allowed some ambiguity, but v3.3 removes any ability to exclude SaaS platforms, identity providers, or other online tools. If company data touches a cloud service, it must be assessed.
This change reflects the reality of today’s digitally distributed workplace, where cloud systems are often the backbone of business operations.
MFA: Now a Mandatory Pass/Fail Requirement
The most critical update for many organisations is that Multi‑Factor Authentication is now an automatic fail condition if not enabled. Under v3.3, if a cloud service offers MFA — whether free, included, or a paid‑for option — it must be switched on, or the assessment fails immediately.
This shift reflects the urgent need to combat password‑based attacks and aligns with the NCSC’s push towards stronger identity protection.
Stricter Scoping Rules for Devices and Networks
Cyber Essentials v3.3 also clarifies scoping rules by removing terms like untrusted or user‑initiated. The new rule is simple:
if a device connects to the internet — inbound or outbound — it is in scope.
This eliminates grey areas around IoT, remote devices, and background‑task systems, making scoping more consistent but also potentially more demanding for organisations with diverse asset inventories.
Emphasis on Passwordless Authentication & Application Security
The update encourages the adoption of passwordless technologies such as passkeys, biometrics, and FIDO2 hardware authenticators. This is part of a wider industry move to phase out traditional passwords in favour of stronger, more user‑friendly methods.
Additionally, the expanded Application Development expectations align Cyber Essentials with the UK Government’s Software Security Code of Practice, requiring safer coding and better patch management for in‑scope applications.
A Higher Bar — But Better Protection
These changes aim to modernise the Cyber Essentials scheme so it reflects today’s hybrid, cloud‑first business environment. Organisations should expect more detailed evidence requirements, particularly for cloud environments and identity management. Completing CE before April 2026 allows businesses to certify under the current, less stringent standard.
We Can Help
As a leading independent cyber security consultancy, we support organisations across sectors in preparing for Cyber Essentials and Cyber Essentials Plus assessments — including scoping, evidence preparation, gap analysis, and technical uplift.
With the v3.3 update just around the corner, now is the perfect time to review your readiness.
Learn more about our Cyber Essentials consultancy: