Cyber Essentials
Cyber Essentials v3.3 comes into force on 27 April 2026, bringing the most significant update to the scheme’s technical requirements in several years. If your organisation holds Cyber Essentials certification, or is planning to apply, the changes affect you directly.
The headline change is this: if you fail to enable Multi-Factor Authentication (MFA) on a cloud service that offers it, you will automatically fail your assessment. No remediation, no second chance within that assessment cycle.
That is the change that matters most. But it is not the only one.
V3.3 also introduces a formal definition of cloud services (which can no longer be excluded from your certification scope — more on what scope means below), stricter evidence requirements for patching, clearer scoping rules, and a brand new question set called Danzell, which replaces the current Willow set. Organisations that certify or renew before 27 April will be assessed under the current v3.2 Willow requirements and have 12 months before v3.3 applies to their renewal.
We have guided hundreds of organisations through every version of Cyber Essentials since the scheme launched. Here is what v3.3 actually means in practice.
Multi-Factor Authentication has been part of Cyber Essentials for several years. What changes in v3.3 is the consequence of getting it wrong.
Under v3.3, if a cloud service offers MFA (whether built in, bundled, or available as a paid add-on) and you have not enabled it for all users, you will automatically fail the assessment. This is not a non-conformity you can remediate during the assessment cycle. It is a hard stop.
This applies to:
The practical implication is significant. Many organisations have MFA available on Microsoft 365, Google Workspace, or Salesforce but have not rolled it out universally, often because of user friction or IT resource constraints. Under v3.3, those organisations will fail immediately.
Action: Audit every cloud service in your environment before your next assessment. If MFA is available, enable it. Do not wait until the assessment to discover the gap.
V3.3 provides the first formal definition of a cloud service within the Cyber Essentials scheme:
Any on-demand, scalable service hosted on shared infrastructure and accessed via the internet. |
More importantly, cloud services used to store or process business data can no longer be excluded from scope. “In scope” means the devices and services that your certification must cover — if something is in scope, it gets assessed. That applies across the board. If your team uses Microsoft 365, Slack, Dropbox, or any similar tool with business credentials, it is in scope. The previous practice of selectively excluding cloud services is no longer valid.
This matters particularly for organisations that have historically excluded cloud tools on the grounds that they are managed by a third party. The shared responsibility model means your configuration of those services, including MFA settings, remains your responsibility.
Action: Map every cloud service your team accesses with business credentials. Check which ones store or process business data. All of them are in scope.
The 14-day patching window is not new, but what counts as a vulnerability fix has been broadened in v3.3.
Previously, the focus was on software patches. V3.3 now explicitly includes registry edits, configuration changes, scripts, and any other vendor-recommended remediation as things that must be applied within 14 days when they address a critical or high-risk vulnerability.
For Cyber Essentials Plus clients, this has a direct assessment implication: our assessors will look for evidence that fixes have been applied across your entire estate, not just on a representative sample. Informal patching processes that are not documented and auditable will not hold up.
Action: Review your vulnerability management process. If you rely on manual tracking, consider whether you have the audit trail to demonstrate compliance across your full device estate. For CE Plus clients, this is particularly important.
For Forensic Control CE Plus clients: Our included vulnerability scanning service provides continuous monitoring and a documented record of fix timelines. That is exactly the evidence trail v3.3 now requires.
Your certification scope is the set of devices and services that your assessment must cover. V3.3 simplifies the rules for deciding what is in scope. The old criteria referenced ‘untrusted’ and ‘user-initiated’ connections, which caused confusion. The new rule is cleaner: if a device connects to the internet, in either direction, it is in scope.
At the same time, partial scoping (excluding parts of your network) now requires significantly more justification. You will need to document:
Assessors have more explicit authority under v3.3 to challenge scoping decisions that appear designed to minimise certification effort rather than reflect genuine network architecture.
Get Cyber Essentials certified with Forensic Control.
From £450 per year. IASME Certification Body. Led by former New Scotland Yard investigators. Vulnerability scanning included with Cyber Essentials Plus.
Not sure where you stand? Take our free Cyber Essentials self-assessment tool to identify gaps before the new rules take effect.
From 27 April 2026, organisations will complete their self-assessment using a new question set called Danzell, replacing the current Willow set (introduced in April 2025).
The Danzell questions reflect the v3.3 requirement changes, particularly around MFA, cloud scoping, and patching evidence. If you have used the Willow questionnaire previously, expect more granular questions about your cloud service inventory and MFA implementation.
Important: If you create your assessment account before 27 April 2026, you will complete the Willow questionnaire under v3.2 requirements, even if you finish the assessment after the deadline. The date your account is created determines which version applies.
V3.3 signals a clear direction of travel toward passwordless authentication — methods that do not rely on a traditional password at all. Passkeys (the sign-in technology now built into iPhones, Android devices and Windows) and FIDO2 hardware keys (small physical devices that plug into a USB port) are now explicitly encouraged within the scheme.
To be clear: this is not a hard requirement in v3.3. Organisations using strong password policies and MFA will still pass. But the scheme is signalling that future versions will place greater weight on phishing-resistant authentication methods.
If you are making authentication infrastructure decisions now, it is worth building toward FIDO2-compatible systems rather than older MFA methods (such as SMS text codes) that may face tighter scrutiny in future updates.
The v3.3 changes place increased demands on CE Plus assessments in particular. The expanded patching definition, the mandatory cloud scoping, and the stricter evidence requirements all mean that organisations need to be in better documented shape before an assessment takes place.
All Forensic Control CE Plus packages include 12 months of continuous vulnerability scanning as standard. This directly addresses the v3.3 expectation of ongoing security monitoring and provides the audit trail our assessors will need to see.
Most CE providers charge separately for vulnerability scanning, or do not offer it at all. Under v3.3, the gap between a supported CE Plus assessment and an unsupported one has widened.
If you create your assessment account before 27 April 2026, you will be assessed under the current v3.2 Willow requirements. Your certificate will be valid for 12 months from issue, so your next renewal will be your first assessment under v3.3.
For organisations that are not yet MFA-compliant across all cloud services, certifying before the deadline gives you 12 months to implement the changes properly rather than under assessment pressure.
Contact us today to start your Cyber Essentials certification before the 27 April deadline.
Yes, if your renewal falls after 27 April 2026. Any assessment account created on or after that date will be subject to the v3.3 requirements and the new Danzell question set. If your current certificate expires after April, contact us to discuss your options. Certifying early may be the right approach depending on your MFA readiness.
No. Forensic Control’s Cyber Essentials pricing remains unchanged: Cyber Essentials from £450 per year, Cyber Essentials Plus from £1,350 per year (including 12 months of vulnerability scanning at no extra cost). The v3.3 update does not affect certification fees.
Under v3.3, MFA must be enabled on every cloud service that offers it, for all users without exception. If MFA is available and not enabled, the assessment fails automatically. There is no grey area. This applies regardless of whether MFA is a paid feature or a free-tier option within the service.
Danzell is the new self-assessment questionnaire that replaces the current Willow question set from 27 April 2026. The Danzell questions reflect the v3.3 requirement changes, with more detailed questions around cloud service inventory, MFA implementation, and patching evidence. Accounts created before 27 April will still use Willow.
V3.3 formally defines cloud services as on-demand, scalable services accessed via the internet using shared infrastructure. All cloud services used to store or process business data are now explicitly in scope and cannot be excluded from certification. This includes SaaS tools like Microsoft 365, Google Workspace, Salesforce, Slack and similar applications used with business credentials.
Cyber Essentials remains mandatory for organisations bidding for UK central government contracts involving sensitive data or technical services. V3.3 does not change this requirement, though it does raise the baseline that organisations must meet to achieve certification. For defence supply chain contracts, CE Plus is increasingly required. Many private sector clients and insurers now treat Cyber Essentials as a baseline expectation regardless of government procurement requirements.
The timeline is the same as under previous versions: most organisations achieve certification within 2–5 working days of completing their self-assessment, assuming they are compliant. The difference under v3.3 is that MFA gaps, which are now an auto-fail, need to be resolved before starting the assessment rather than during it. We recommend a pre-assessment MFA audit for any organisation that has not yet universally enforced MFA across cloud services.
If your assessment fails, you will need to address the non-conformities and resubmit. Forensic Control does not charge for re-submissions and our assessors will guide you through any gaps at no additional cost. For MFA auto-fails, resolution is typically straightforward once you know which services are affected.
Safeguard your business with our expert cyber security solutions. Whether you require digital forensics, penetration testing or proactive security assessments, our team is ready to assist. Contact us today to discuss your security needs and take the first step towards a more secure future.
