From 27 April 2026, organisations certifying or renewing Cyber Essentials and Cyber Essentials Plus will be assessed against version v3.3 of the standard. While Cyber Essentials is updated regularly, this release is one of the more significant shifts we’ve seen in recent years. This update is a meaningful step up and, based on what we’re already seeing, one that many organisations are underestimating.

At Fuse CS, we see Cyber Essentials not as a box‑ticking exercise, but as a strong baseline for real‑world cyber resilience. v3.3 pushes that principle further – tightening expectations around identity, multi‑factor authentication, and cloud services, and focusing far more on whether controls work in practice, not just on paper.

So, what’s changing – and how should organisations be preparing?

A Sharper Focus on Identity and MFA

Multi‑Factor Authentication (MFA) has been part of Cyber Essentials for some time, but version 3.3 removes any remaining grey areas.

If a cloud service offers MFA and it isn’t enabled, the assessment will now fail. There’s no remediation window and no "planned improvement" discussion at Cyber Essentials Plus level.

This applies across:

• Cloud services (such as Microsoft 365 and other SaaS platforms)
• Administrative accounts
• Remote access solutions

The intent is clear: credentials remain one of the most common attack paths, and password‑only access is no longer considered an acceptable control where stronger options are available.

For many organisations, this isn't about introducing new technology; it's about ensuring MFA is enabled consistently and enforced for all users. In practice, we often see MFA available but not fully enforced; particularly where legacy accounts or user exceptions have accumulated over time.

No More Shared or Generic Accounts

Cyber Essentials v3.3 formally tightens rules around account usage. Each user must have their own unique account, with access aligned to their role.

Shared or generic logins (for example, "admin@" or "accounts@") are no longer acceptable. This isn't just a compliance issue – shared credentials undermine accountability, auditability, and incident response.

From our experience, cleaning this up often uncovers wider access control issues that are worth addressing regardless of certification.

Cloud Services Are Fully in Scope

One of the biggest mindset shifts in v3.3 is the explicit treatment of cloud services. If your organisation uses a cloud service to store, process, or access business data, it is now firmly in scope for Cyber Essentials. We regularly come across SaaS tools that have never been reviewed for Cyber Essentials scope simply because they sit outside "core IT", despite processing live business data.

That includes:

• Email and collaboration platforms
• File sharing and storage
• Line‑of‑business SaaS tools

Assumptions that certain services are out of scope, because they’re externally hosted, no longer hold up. Assessments will focus on how well cloud services are secured in practice, including identity configuration, access controls, and patching responsibility.

Proving Controls Work, Not Just That They Exist

At Cyber Essentials Plus level, v3.3 reinforces a key principle: controls must be demonstrably effective.

Policies alone are not enough. Organisations must be able to show that:

• MFA is actually enforced
• Patch management is working as intended
• Access controls are applied consistently
• Security settings match documented standards

This aligns well with how modern audits and insurers already think and reflects a broader shift from theoretical compliance to measurable assurance.

Why Early Preparation Matters

We’re already seeing organisations underestimate the effort required to align with v3.3, particularly where:

• MFA exists but isn't universally enforced
• Legacy systems or accounts are still in use
• Cloud services haven't previously been reviewed for scope

Leaving preparation until renewal time increases the risk of failed certification, business disruption, or delays in procurement and onboarding processes.

How Fuse CS Can Help

At Fuse CS, we help organisations approach Cyber Essentials Plus as part of a wider security journey – not a last‑minute scramble.

This includes:

• Reviewing identity and MFA configurations
• Assessing cloud service scope realistically
• Identifying gaps before formal assessment
• Supporting remediation and evidence preparation
• Aligning compliance with day‑to‑day operational reality

The v3.3 changes raise the bar – but they also provide an opportunity to strengthen security in meaningful, lasting ways.

If your Cyber Essentials renewal is approaching, or you're unsure how these changes affect your organisation, now is the right time to take stock. If you’d like to talk through what version 3.3 means in practice, the Fuse CS team is here to help.

About the author

Fuse

Fuse is a Microsoft Partner, based in Northampton. We help organisations of all sizes to maximise IT efficiencies through the use of Microsoft cloud computing solutions.