Cyber Essentials 2026: v3.3 Changes You Need to Know

Cyber Essentials remains the UK government’s baseline cybersecurity certification, and with the v3.3 update now in effect, the bar has been raised again. If your organisation holds Cyber Essentials or Cyber Essentials Plus — or you are pursuing certification for the first time — here is what has changed and what it means in practice.

What Is New in Cyber Essentials v3.3

The National Cyber Security Centre (NCSC) updates the Cyber Essentials requirements annually. The v3.3 release, effective from January 2026, focuses on closing gaps that attackers have been exploiting in certified organisations. The headline changes are:

Mandatory MFA Across All Cloud Services

Previous versions required multi-factor authentication (MFA) for cloud services where it was available. Version 3.3 removes the ambiguity: MFA is now mandatory for every cloud service that stores, processes, or transmits organisational data. This includes SaaS applications, cloud storage, and any web-based platform employees use for work.

The practical impact is significant. Many organisations had MFA enabled on Microsoft 365 and their core line-of-business applications but overlooked secondary tools — project management software, CRM platforms, accounting systems, or file sharing services. Under v3.3, every one of these needs MFA enabled.

Stronger Password Requirements

The minimum password length has increased from 8 to 12 characters for all user accounts. Where MFA is not technically possible (which should now be a rare exception), passwords must be at least 14 characters. Password policies must also prevent the use of the most commonly breached passwords, using a blocklist approach.

Cloud Configuration Accountability

Version 3.3 makes it explicit that organisations are responsible for the secure configuration of their cloud services, not just their on-premise infrastructure. This includes:

Ensuring default admin accounts are secured or disabled
Reviewing and restricting user permissions to the minimum necessary
Configuring cloud storage to prevent unintended public access
Enabling logging and audit trails where available

This was always implied, but v3.3 makes it a testable requirement for Cyber Essentials Plus assessments.

BYOD Clarification

Bring Your Own Device (BYOD) policies have been tightened. If personal devices access organisational data, they must either meet the full Cyber Essentials technical controls or access must be limited to a managed, sandboxed environment such as a virtual desktop or managed mobile application. Simply having a BYOD policy document is no longer sufficient — the technical controls must be demonstrable.

Expanded Scope for Home Workers

Home working infrastructure is now fully within scope. This means home routers, while not needing to be managed centrally, must meet minimum security requirements including changed default passwords and current firmware. Assessors will ask about this during Plus assessments.

Why These Changes Matter

Cyber Essentials certification is a contractual requirement for many government supply chain opportunities and is increasingly expected by private sector clients in financial services, legal, and professional services. The v3.3 changes reflect the reality that most breaches now exploit cloud misconfigurations, weak authentication, and unmanaged endpoints rather than traditional network perimeter vulnerabilities.

According to the NCSC’s 2025 Annual Review, 84% of UK cyber incidents affecting small and medium businesses involved at least one of: missing MFA, weak passwords, or misconfigured cloud services. The v3.3 requirements directly target all three.

A Practical Preparation Checklist

If your certification renewal is approaching, work through this list with your IT team or provider:

MFA audit:

Inventory every cloud service used by your organisation
Confirm MFA is enabled for all user accounts on every service
Migrate any services that do not support MFA to alternatives that do

Password policy update:

Set minimum password length to 12 characters (14 where MFA is unavailable)
Implement a breached password blocklist (Microsoft Entra ID and most modern directory services support this natively)
Disable legacy authentication protocols that bypass MFA

Cloud configuration review:

Audit admin accounts across all cloud platforms
Review sharing and access permissions on cloud storage
Enable audit logging on Microsoft 365, Google Workspace, and other core platforms
Check that no storage buckets or SharePoint sites are publicly accessible

Device management:

Confirm all corporate devices are enrolled in your mobile device management (MDM) or endpoint management solution
Establish technical controls for any BYOD access
Document home working arrangements and minimum router security requirements

Patching:

Confirm all operating systems and applications are patched within 14 days of critical updates (unchanged from v3.2 but frequently failed during assessments)

The Certification Process

For standard Cyber Essentials, the process remains a self-assessment questionnaire verified by a licensed assessor. For Cyber Essentials Plus, an assessor conducts hands-on technical testing of your environment. The v3.3 changes mean Plus assessments will now include verification of MFA on a sample of cloud services and testing of cloud configuration controls.

Expect the Plus assessment to take slightly longer than previous years as assessors work through the expanded scope.

How Nerdster Helps

We guide clients through Cyber Essentials and Cyber Essentials Plus certification from initial gap analysis through to successful assessment. Our managed IT service includes the MFA enforcement, password policies, cloud configuration, and endpoint management that v3.3 requires — so for our clients, meeting the new standard is simply part of the service.

If you are unsure whether your current setup meets v3.3 requirements, book a free IT assessment with Nerdster. We will identify the gaps and give you a clear path to certification.