On 27th April 2026, the National Cyber Security Centre (NCSC) and IASME will officially launch Cyber Essentials v3.3.
While many annual updates are minor "housekeeping," v3.3 introduces some of the most significant changes to marking criteria we have seen in years. If you are planning to certify or renew after April, it’s essential to understand what’s changing, because in some cases, getting it wrong could lead to an automatic failure.
Here is everything you need to know about the v3.3 requirements and how to prepare.
The headline change in v3.3 is the zero-tolerance approach to Multi-Factor Authentication (MFA).
Under previous versions, there was some ambiguity around when MFA was strictly required. In v3.3, that ambiguity is gone.
If your organisation uses a cloud service that offers MFA and it isn’t enabled, the assessment will result in an automatic failure.
Forensic Control Summary: If MFA exists, you must use it to protect organisational accounts and data.
For the first time, the NCSC has provided a formal definition of a Cloud Service:
Any on-demand, scalable service hosted on shared infrastructure and accessed via the internet.
More importantly, v3.3 states cloud services can no longer be excluded from the scope.
If your organisation uses business credentials to access a service that stores or processes your data (think SaaS like Microsoft 365, Slack, or Trello), it is in scope. You can no longer pick and choose which parts of your cloud infrastructure you want to be assessed.
Forensic Control Summary: You can no longer choose which cloud tools “count”- if you use them, they’re in scope.
The update has removed the terms ‘untrusted’ and ‘user-initiated’ from the scoping criteria.
The new rule is simpler: if a device is connected to the internet, whether it’s accepting inbound connections or making outbound ones - it’s in scope. This eliminates the "grey area" of devices that only perform background tasks.
Forensic Control Summary: If it touches the web, it must meet the five technical controls.
The NCSC is making a clear push toward the future of authentication. The v3.3 update places a heavy emphasis on Passwordless Authentication, specifically Passkeys and FIDO2 authenticators.
The guidance now suggests that passwordless methods should be the default recommendation.
Forensic Control Summary: For businesses, this is good news: Passkeys are not only more secure than traditional passwords, but they also provide a faster, more seamless experience for your employees.
If you decide to exclude parts of your network from the assessment (Partial Scoping), v3.3 requires much more detail. You will now need to:
Forensic Control Summary: Assessors will have greater scope to challenge exclusions if they don’t meet the new standards.
The v3.3 requirements apply to all assessment accounts created after 27th April 2026. If you create your account before this date, you will still be assessed under the current v3.2 (Willow) standards.
Our Advice:
Ready to see where you stand today? Use our Free Cyber Essentials Self Assessment Tool to identify your gaps before the new rules take effect.
Safeguard your business with our expert cyber security solutions. Whether you require digital forensics, penetration testing or proactive security assessments, our team is ready to assist. Contact us today to discuss your security needs and take the first step towards a more secure future.
