Cyber Essentials
Cyber Essentials v3.3 comes into force on 27 April 2026, bringing the most significant technical changes in several years and introducing a new auto-fail rule for Multi-Factor Authentication that will catch organisations by surprise if they are not prepared.
This article explains what changes at renewal under v3.3, who is affected and when, and whether renewing before the 27 April deadline makes sense for your organisation.
Your Cyber Essentials certificate is valid for 12 months from the date it was issued. At renewal, you go through the assessment process again: either the self-assessment questionnaire for Basic, and/or the full technical audit for Plus.
What changes in 2026 is which version of the requirements your renewal is assessed against. That depends entirely on one date: 27 April 2026.
The date your account is created is the determining factor, not the date you submit or receive your certificate.
If your renewal falls under v3.3, three changes are most likely to affect you.
Under v3.3, if any cloud service in scope offers Multi-Factor Authentication (MFA) and you have not enabled it for all users, your assessment fails immediately. There is no opportunity to remediate within the assessment cycle.
V3.3 formally defines cloud services and makes clear that any cloud tool used to store or process business data is in scope for your assessment. If your organisation has historically excluded cloud tools from its certification scope, that approach is no longer valid at renewal.
V3.3 introduces a new self-assessment questionnaire called Danzell (v3.3), replacing the current Willow (v3.2) set. Expect more granular questions around your cloud service inventory, MFA implementation and patching evidence.
“The gap we’re finding most often isn’t that organisations don’t have Multi-Factor Authentication. The issue is that organisations have enabled it for standard accounts but missed service accounts, shared mailboxes, or legacy integrations. Under v3.3, any of those would be an automatic fail.”
Jonathan Krause, Founder and Head Assessor, Forensic Control
For a full breakdown of every v3.3 change, see our Cyber Essentials v3.3 April 2026 update
For some organisations, renewing before the deadline is the right call. For others, it makes no practical difference. The decision comes down to one question: are you currently MFA-compliant across all cloud services?
No. Forensic Control’s Cyber Essentials renewal pricing is unchanged:
| Cyber Essentials Basic | From £450 per year |
| Cyber Essentials Plus | From £1,350 per year, includes 12 months vulnerability scanning at no extra cost |
| Cyber Essentials Duo | From £1,800 per year (Basic + Plus bundle) |
V3.3 does not affect certification fees.
In addition to your standard preparation for certification (ensuring all applications and operating systems are running latest updates, checking that your answers from last year are still applicable, etc.) there are some additional areas you need to review. If your renewal falls after 27 April, the following preparation can make the difference between a smooth renewal and a failed assessment.
Map every cloud tool your team accesses with business credentials. For each one, confirm whether MFA is available and whether it is enabled for every user without exception. This is the single most important preparation step.
V3.3 broadens what counts as a vulnerability fix. Registry edits, configuration changes and scripts now count alongside software patches. If your patching process is informal or undocumented, you will need an auditable record before your Plus assessment.
If your previous certification excluded any cloud services, review that decision. Under v3.3, exclusions require documented justification and technical segregation evidence.
Beyond MFA, administrator accounts are among the most common areas of non-compliance we see at assessment. The question is not just whether you have them, but how they are allocated and how they are actually used day to day.
“Beyond MFA, the most consistent area of non-compliance we see at assessment is around administrator accounts: specifically how they’re allocated and how they’re actually used day to day. We’re surprised how many applicants tell us they don’t have any administrator accounts because these are handled by their IT supplier. Every administrator account, whether used by internal staff or external suppliers, needs to be addressed by the administrator questions at A7.x in Cyber Essentials.”
Jonathan Krause, Founder and Head Assessor, Forensic Control
‘For Cyber Essentials Plus & Duo clients: Forensic Control’s included vulnerability scanning service provides continuous monitoring and a documented fix timeline. That is exactly the evidence trail v3.3 assessors will look for. Most CE Plus providers charge separately for this, or do not offer it at all.’
V3.3 signals a clear direction toward passwordless authentication. Passkeys and FIDO2 hardware keys are now explicitly encouraged within the scheme, though not yet required.
If you are making authentication infrastructure decisions now, it is worth building toward FIDO2-compatible systems rather than older MFA methods such as SMS codes, which may face tighter scrutiny in future updates.
Yes, if your renewal falls under v3.3. If a cloud service offers MFA and you have not enabled it for all users, your assessment fails automatically with no opportunity to remediate within that cycle. This applies to every cloud service in scope, including Microsoft 365, Google Workspace, Salesforce and similar tools.
Your renewal changes if your assessment account is created on or after 27 April 2026. Accounts created before that date are assessed under v3.2 Willow requirements, even if the assessment is completed after the deadline. The creation date of your account determines which version applies.
Renewal pricing is unchanged under v3.3. Cyber Essentials Basic renews from £450 per year, Cyber Essentials Plus from £1,350 per year including 12 months of vulnerability scanning, and Cyber Essentials Duo from £1,800 per year. Forensic Control does not charge for resubmissions.
Danzell is the new self-assessment questionnaire that replaces the Willow set from 27 April 2026. It reflects the v3.3 requirement changes, with more detailed questions around cloud services, MFA and patching evidence. If you have completed Willow previously, expect Danzell to be more granular in these areas.
Yes. If your assessment fails under v3.3, you address the non-conformities and resubmit. Forensic Control does not charge for resubmissions and our assessors will guide you through any gaps at no additional cost. MFA failures are typically straightforward to resolve once the affected services are identified.
The clearest indicator is whether MFA is fully enforced across every cloud service in scope. Use our free Cyber Essentials Quick Check Tool to identify gaps before your renewal assessment, or contact our team for a pre-renewal conversation.
Safeguard your business with our expert cyber security solutions. Whether you require digital forensics, penetration testing or proactive security assessments, our team is ready to assist. Contact us today to discuss your security needs and take the first step towards a more secure future.
